Critical IP KVM Vulnerabilities Expose Systems to Unauthenticated Root Access
Recent cybersecurity research has unveiled nine critical vulnerabilities in low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices, potentially granting attackers unauthenticated root access across products from four different vendors. These devices, designed to provide remote control over systems at the BIOS/UEFI level, are integral to managing servers and other critical infrastructure.
Overview of the Vulnerabilities
The vulnerabilities were identified by security firm Eclypsium in the following products:
– GL-iNet Comet RM-1
– Angeet/Yeeso ES3 KVM
– Sipeed NanoKVM
– JetKVM
The most severe of these flaws enable unauthenticated attackers to gain root access or execute arbitrary code on the affected devices. The common issues across these products include:
– Lack of Firmware Signature Validation: Allowing unauthorized firmware updates.
– Absence of Brute-Force Protection: Making devices susceptible to password guessing attacks.
– Broken Access Controls: Permitting unauthorized access to critical functions.
– Exposed Debug Interfaces: Providing attackers with potential entry points.
Paul Asadoorian and Reynaldo Vasquez Garcia from Eclypsium emphasized the severity, stating, These are fundamental security controls that any networked device should implement. Input validation. Authentication. Cryptographic verification. Rate limiting.
Detailed Breakdown of Vulnerabilities
1. GL-iNet Comet KVM:
– CVE-2026-32290 (CVSS 4.2): Insufficient verification of firmware authenticity.
– CVE-2026-32291 (CVSS 7.6): UART root access vulnerability.
– CVE-2026-32292 (CVSS 5.3): Lack of brute-force protection.
– CVE-2026-32293 (CVSS 3.1): Insecure initial provisioning via unauthenticated cloud connection.
Status: Fixes are planned for CVE-2026-32290 and CVE-2026-32291. CVE-2026-32292 and CVE-2026-32293 have been addressed in version 1.8.1 BETA.
2. JetKVM:
– CVE-2026-32294 (CVSS 6.7): Insufficient update verification.
– CVE-2026-32295 (CVSS 7.3): Lack of rate limiting.
Status: Both vulnerabilities have been fixed in version 0.5.4.
3. Sipeed NanoKVM:
– CVE-2026-32296 (CVSS 5.4): Exposure of configuration endpoint.
Status: Fixed in NanoKVM version 2.3.1 and NanoKVM Pro version 1.2.4.
4. Angeet ES3 KVM:
– CVE-2026-32297 (CVSS 9.8): Missing authentication for critical functions, leading to arbitrary code execution.
– CVE-2026-32298 (CVSS 8.8): Operating system command injection vulnerability, allowing arbitrary command execution.
Status: No fixes are currently available for these vulnerabilities.
Potential Impact
Exploitation of these vulnerabilities can have severe consequences, including:
– Unauthorized System Control: Attackers can gain full control over affected systems, bypassing security measures like disk encryption and Secure Boot.
– Data Breaches: Access to sensitive information stored on compromised systems.
– Persistent Threats: Attackers can maintain undetected access, making it challenging to remove them from the network.
The researchers highlighted that these vulnerabilities are not complex zero-day exploits but fundamental security oversights reminiscent of early IoT device issues.
Recommendations for Mitigation
Organizations utilizing these IP KVM devices should take immediate action:
1. Apply Available Patches: Ensure all devices are updated to the latest firmware versions where fixes are available.
2. Monitor Vendor Communications: Stay informed about updates and patches for vulnerabilities that currently lack fixes.
3. Implement Network Segmentation: Isolate IP KVM devices from critical network segments to limit potential exploitation.
4. Enhance Access Controls: Implement strong authentication mechanisms and monitor for unauthorized access attempts.
Conclusion
The discovery of these critical vulnerabilities underscores the importance of rigorous security practices in networked devices. Organizations must prioritize the security of IP KVM devices to prevent potential breaches and maintain the integrity of their systems.
