Cybersecurity researchers have warned about the risks posed by low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices, which can grant attackers extensive control over compromised hosts. The nine vulnerabilities, discovered by **Eclypsium**, span four different products from **GL-iNet** Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM. The most severe of them allow unauthenticated actors to gain root access or run malicious code. "The common themes are damning: missing firmware signature validation, no brute-force protection, broken access controls, and exposed debug interfaces," researchers Paul Asadoorian and Reynaldo Vasquez Garcia [said](https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/) in an analysis. ### The Risk of Remote Takeover IP KVM devices enable remote access to a target machine's keyboard, video output, and mouse input at the BIOS/UEFI level. Exploiting vulnerabilities in these products can expose systems to takeover risks, undermining existing security controls. Here's a breakdown of the identified shortcomings: * **CVE-2026-32290** (CVSS score: 4.2) - Insufficient firmware authenticity verification in **GL-iNet** Comet KVM (Fix being planned) * **CVE-2026-32291** (CVSS score: 7.6) - Universal Asynchronous Receiver-Transmitter (UART) root access vulnerability in **GL-iNet** Comet KVM (Fix being planned) * **CVE-2026-32292** (CVSS score: 5.3) - Insufficient brute-force protection vulnerability in **GL-iNet** Comet KVM (Fixed in version 1.8.1 BETA) * **CVE-2026-32293** (CVSS score: 3.1) - Insecure initial provisioning via unauthenticated cloud connection vulnerability in **GL-iNet** Comet KVM (Fixed in version 1.8.1 BETA) * **CVE-2026-32294** (CVSS score: 6.7) - Insufficient update verification vulnerability in JetKVM (Fixed in version 0.5.4) * **CVE-2026-32295** (CVSS score: 7.3) - Insufficient rate limiting vulnerability in JetKVM (Fixed in version 0.5.4) * **CVE-2026-32296** (CVSS score: 5.4) - Configuration endpoint exposure vulnerability in Sipeed NanoKVM (Fixed in NanoKVM version 2.3.1 and NanoKVM Pro version 1.2.4) * **CVE-2026-32297** (CVSS score: 9.8) - Missing authentication for a critical function vulnerability in Angeet ES3 KVM leading to arbitrary code execution (No fix available) * **CVE-2026-32298** (CVSS score: 8.8) - Operating system command injection vulnerability in Angeet ES3 KVM leading to arbitrary command execution (No fix available) ### Fundamental Security Flaws "These are not exotic zero-days requiring months of reverse engineering," the researchers noted. "These are fundamental security controls that any networked device should implement. Input validation. Authentication. Cryptographic verification. Rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to." An adversary can weaponize these issues to inject keystrokes, boot from removable media to bypass disk encryption or Secure Boot protections, circumvent lock screens and access systems, and, more importantly, remain undetected by security software installed at the operating system level. ### Prior Warnings and North Korean Exploitation This isn't the first time vulnerabilities have been disclosed in IP KVM devices. In July 2025, Russian cybersecurity vendor **Positive Technologies** [flagged five flaws](https://global.ptsecurity.com/en/about/news/vulnerabilities-in-aten-international-switches-patched-with-the-assistance-of-pt-experts/) in **ATEN International** switches (**CVE-2025-3710**, **CVE-2025-3711**, **CVE-2025-3712**, **CVE-2025-3713**, and **CVE-2025-3714**) that could lead to denial-of-service or remote code execution. Furthermore, IP KVM switches like PiKVM or TinyPilot [have been used](https://thehackernews.com/2025/07/us-arrests-key-facilitator-in-north.html) by North Korean IT workers residing in countries like China to remotely connect to company-issued laptops hosted on laptop farms. ### Mitigation Strategies To mitigate these risks, it's recommended to: * Enforce multi-factor authentication (MFA) where supported. * Isolate KVM devices on a dedicated management VLAN. * Restrict internet access. * Use tools like Shodan to check for external exposure. * Monitor for unexpected network traffic to/from the devices. * Keep the firmware up-to-date. **Eclypsium** emphasizes the severity of a compromised KVM device. "A compromised KVM is not like a compromised IoT device sitting on your network. It is a direct, silent channel to every machine it controls," they stated. "An attacker who compromises the KVM can hide tools and backdoors on the device itself, consistently re-infecting host systems even after remediation." "Since some firmware updates lack signature verification on most of these devices, a supply-chain attacker could tamper with the firmware at distribution time and have it persist indefinitely."