$30 IP-KVM Flaws Could Enable BIOS-Level Enterprise Network Attacks
Recent threat research exposes a critical security crisis with low-cost IP-KVM devices, revealing nine vulnerabilities across four prominent vendors. These budget management tools have been transformed into potent attack vectors due to fundamental security flaws.
Compromising a single KVM device grants an attacker complete physical-level control over every connected system, providing direct keyboard, video, and mouse access at the BIOS level. This bypasses all operating systems and endpoint security controls entirely.
$30 IP-KVM Flaws
According to Eclypsium, traditional KVM switches required physical presence, but modern IP-KVM variants add critical remote network connectivity.
While enterprise-grade KVMs command prices in the thousands, a new affordable market has emerged, ranging from $30 to $100. These devices are now widely deployed in enterprise data centers, healthcare facilities, and industrial environments.
This rapid adoption carries immense risk. The number of vulnerable, internet-facing KVM devices surged from 404 in June 2025 to over 1,600 by January 2026.
Threat actors are actively exploiting this device class. Reports confirm malicious remote workers use these compromised devices to infiltrate corporate networks.
The nine identified vulnerabilities impact devices from GL-iNet, Angeet, Sipeed, and JetKVM.
These flaws stem from critical basic failures: missing firmware signatures, exposed debug interfaces, and a complete lack of brute-force login protection.
Angeet’s ES3 KVM contains the most severe flaw: an unauthenticated file upload vulnerability enabling arbitrary file writes. When combined with a separate command injection bug, attackers achieve full remote code execution with root privileges.
GL-iNet’s Comet RM-1 suffers from four distinct vulnerabilities. Its firmware update mechanism relies solely on easily manipulated MD5 hashes instead of secure cryptographic signatures, allowing attackers to install malicious firmware. Its physical serial interface also provides an instant root shell without requiring any credentials.
JetKVM devices initially lacked rate limiting, enabling attackers to guess passwords rapidly without being blocked. Sipeed’s NanoKVM exposed its wireless configuration endpoint, allowing attackers to hijack the network connection. JetKVM and Sipeed have released patches for their respective vulnerabilities.
| Vendor | Product | CVE | Vulnerability | CVSS | Status |
|---|---|---|---|---|---|
| GL-iNet | Comet RM-1 | CVE-2026-32290 | Insufficient firmware verification | 4.2 | No fix planned |
| GL-iNet | Comet RM-1 | CVE-2026-32291 | UART root access | 7.6 | No fix planned |
| GL-iNet | Comet RM-1 | CVE-2026-32292 | Insufficient brute-force protection | 5.3 | Fixed in v1.8.1 BETA |
| GL-iNet | Comet RM-1 | CVE-2026-32293 | Insecure initial cloud provisioning | 3.1 | Fixed in v1.8.1 BETA |
| Angeet | ES3 KVM | CVE-2026-32297 | Unauthenticated file upload | 9.8 | No fix available |
| Angeet | ES3 KVM | CVE-2026-32298 | OS command injection | 8.8 | No fix available |
| Sipeed | NanoKVM | CVE-2026-32296 | Configuration endpoint exposure | 5.4 | Fixed in v2.3.1 |
| JetKVM | JetKVM | CVE-2026-32294 | Insufficient update verification | 6.7 | Fixed in v0.5.4 |
| JetKVM | JetKVM | CVE-2026-32295 | Insufficient rate limiting | 7.3 | Fixed in v0.5.4 |
A compromised KVM operates below the operating system layer, making it completely invisible to traditional antivirus and host firewall software.
Attackers can inject malicious keystrokes to deploy ransomware, boot systems from hidden removable media to bypass disk encryption, or alter the computer’s startup sequence.
Because KVMs run their own Linux environments, hackers can hide persistent backdoors directly on the device itself.
Security teams must urgently isolate these KVM devices on dedicated management networks and never expose them to the public internet.