Critical IP-KVM Vulnerabilities Expose Enterprise Networks to BIOS-Level Attacks
Recent security research has unveiled nine critical vulnerabilities in four widely used, low-cost IP-KVM (Internet Protocol – Keyboard, Video, Mouse) devices. These flaws grant attackers BIOS-level control over connected systems, effectively bypassing operating system security measures and Endpoint Detection and Response (EDR) agents.
Understanding the Threat
IP-KVM devices enable remote management of computers by simulating physical access to the keyboard, video display, and mouse. While they offer convenience, their compromise can lead to severe security breaches. An attacker with control over an IP-KVM can:
– Inject Keystrokes: Execute commands or install malware remotely.
– Boot from External Media: Bypass disk encryption and access sensitive data.
– Modify BIOS Settings: Disable security features like Secure Boot, facilitating persistent threats.
Operating below the host operating system, compromised IP-KVMs remain undetectable by standard security tools, posing a significant risk to enterprise networks.
Active Exploitation in the Wild
The severity of these vulnerabilities is underscored by active exploitation. The FBI has investigated threats related to KVM devices, and Microsoft has documented instances where state-sponsored actors utilized IP-KVMs to gain remote physical control over corporate laptops. Additionally, over 1,600 of these devices have been identified as directly exposed to the internet, expanding the attack surface for malicious actors.
Detailed Vulnerability Breakdown
The vulnerabilities affect devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM, priced between $30 and $100. Key issues include:
– GL-iNet Comet RM-1:
– CVE-2026-32290: Insufficient firmware verification (CVSS 4.2).
– CVE-2026-32291: UART root access (CVSS 7.6).
– CVE-2026-32292: Insufficient brute-force protection (CVSS 5.3).
– CVE-2026-32293: Insecure cloud provisioning (CVSS 3.1).
– Angeet/Yeeso ES3 KVM:
– CVE-2026-32297: Unauthenticated file upload (CVSS 9.8).
– CVE-2026-32298: OS command injection (CVSS 8.8).
– Sipeed NanoKVM:
– CVE-2026-32296: Configuration endpoint exposure (CVSS 5.4).
– JetKVM:
– CVE-2026-32294: Insufficient update verification (CVSS 6.7).
– CVE-2026-32295: Insufficient rate limiting (CVSS 7.3).
The most critical vulnerability, CVE-2026-32297, in the Angeet ES3 KVM, allows unauthenticated file uploads. When combined with CVE-2026-32298, it enables pre-authentication remote code execution with root privileges. Similarly, the GL-iNet Comet RM-1 provides unauthenticated root-level access via its UART interface and relies on an easily spoofed MD5 hash for firmware verification.
Mitigation Strategies
To safeguard enterprise networks from these vulnerabilities, organizations should:
1. Isolate IP-KVM Devices: Place them on dedicated management VLANs and ensure they are not directly exposed to the internet.
2. Implement Strong Authentication: Use robust authentication mechanisms and Virtual Private Networks (VPNs) to control access.
3. Inventory and Monitor: Identify all IP-KVM devices within the network, monitor for unusual outbound traffic, and apply the latest firmware patches provided by vendors.
By treating IP-KVM devices as critical infrastructure and implementing these measures, organizations can significantly reduce the risk posed by these vulnerabilities.
