Cybersecurity researchers have revealed nine severe vulnerabilities in low-cost IP KVM devices, highlighting the risks posed by these networked remote management tools. The flaws were discovered by Eclypsium and affect products from GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM.
IP KVM devices provide remote access to a system’s keyboard, video output, and mouse at the BIOS/UEFI level. Vulnerabilities in these devices allow attackers to gain root-level access, execute arbitrary code, and bypass security protections.
Overview of the Vulnerabilities
The nine flaws are summarized as follows:
- CVE-2026-32290 (CVSS 4.2) – Firmware authenticity verification missing in GL-iNet Comet KVM (Fix planned)
- CVE-2026-32291 (CVSS 7.6) – UART root access flaw in GL-iNet Comet KVM (Fix planned)
- CVE-2026-32292 (CVSS 5.3) – Weak brute-force protection in GL-iNet Comet KVM (Fixed in v1.8.1 BETA)
- CVE-2026-32293 (CVSS 3.1) – Insecure initial provisioning via unauthenticated cloud connection in GL-iNet Comet KVM (Fixed in v1.8.1 BETA)
- CVE-2026-32294 (CVSS 6.7) – Insufficient update verification in JetKVM (Fixed in v0.5.4)
- CVE-2026-32295 (CVSS 7.3) – Weak rate limiting in JetKVM (Fixed in v0.5.4)
- CVE-2026-32296 (CVSS 5.4) – Configuration endpoint exposure in Sipeed NanoKVM (Fixed in NanoKVM v2.3.1 / Pro v1.2.4)
- CVE-2026-32297 (CVSS 9.8) – Missing authentication in Angeet ES3 KVM enabling arbitrary code execution (No fix yet)
- CVE-2026-32298 (CVSS 8.8) – OS command injection in Angeet ES3 KVM (No fix yet)
Researchers Paul Asadoorian and Reynaldo Vasquez Garcia emphasized that these flaws result from missing firmware signatures, lack of brute-force protection, broken access controls, and exposed debug interfaces, rather than complex zero-days.
Risks and Potential Exploitation
Exploitation could allow an attacker to:
- Inject keystrokes at the BIOS/UEFI level
- Boot from removable media to bypass disk encryption or Secure Boot
- Circumvent lock screens and access systems remotely
- Maintain persistent backdoors on host machines
“Compromised KVMs provide a silent, direct channel to every connected system,” Eclypsium noted. “Even after remediation, attackers can maintain access through the KVM itself, especially when firmware updates lack proper signature validation.”
Historical Context
IP KVM vulnerabilities are not new. In July 2025, Positive Technologies disclosed five critical flaws in ATEN International switches (CVE-2025-3710 through CVE-2025-3714) that allowed denial-of-service and remote code execution attacks.
Additionally, IP KVM switches like PiKVM and TinyPilot have been reportedly used by North Korean IT personnel to remotely control company-issued laptops hosted on centralized farms.
Found this article interesting? Follow us on X (Twitter) , Facebook, Blue sky and LinkedIn to read more exclusive content we post.


