$30 IP-KVM Flaws Could Enable BIOS-Level Enterprise Network Attacks

Recent threat research exposes a critical security crisis with low-cost IP-KVM devices, revealing nine vulnerabilities across four prominent vendors. These budget management tools have been transformed into potent attack vectors due to fundamental security flaws.

Compromising a single KVM device grants an attacker complete physical-level control over every connected system, providing direct keyboard, video, and mouse access at the BIOS level. This bypasses all operating systems and endpoint security controls entirely.

$30 IP-KVM Flaws

According to Eclypsium, traditional KVM switches required physical presence, but modern IP-KVM variants add critical remote network connectivity.

While enterprise-grade KVMs command prices in the thousands, a new affordable market has emerged, ranging from $30 to $100. These devices are now widely deployed in enterprise data centers, healthcare facilities, and industrial environments.

This rapid adoption carries immense risk. The number of vulnerable, internet-facing KVM devices surged from 404 in June 2025 to over 1,600 by January 2026.

Threat actors are actively exploiting this device class. Reports confirm malicious remote workers use these compromised devices to infiltrate corporate networks.

The nine identified vulnerabilities impact devices from GL-iNet, Angeet, Sipeed, and JetKVM.

These flaws stem from critical basic failures: missing firmware signatures, exposed debug interfaces, and a complete lack of brute-force login protection.

Angeet’s ES3 KVM contains the most severe flaw: an unauthenticated file upload vulnerability enabling arbitrary file writes. When combined with a separate command injection bug, attackers achieve full remote code execution with root privileges.

GL-iNet’s Comet RM-1 suffers from four distinct vulnerabilities. Its firmware update mechanism relies solely on easily manipulated MD5 hashes instead of secure cryptographic signatures, allowing attackers to install malicious firmware. Its physical serial interface also provides an instant root shell without requiring any credentials.

JetKVM devices initially lacked rate limiting, enabling attackers to guess passwords rapidly without being blocked. Sipeed’s NanoKVM exposed its wireless configuration endpoint, allowing attackers to hijack the network connection. JetKVM and Sipeed have released patches for their respective vulnerabilities.

Vendor Product CVE Vulnerability CVSS Status
GL-iNet Comet RM-1 CVE-2026-32290 Insufficient firmware verification 4.2 No fix planned
GL-iNet Comet RM-1 CVE-2026-32291 UART root access 7.6 No fix planned
GL-iNet Comet RM-1 CVE-2026-32292 Insufficient brute-force protection 5.3 Fixed in v1.8.1 BETA
GL-iNet Comet RM-1 CVE-2026-32293 Insecure initial cloud provisioning 3.1 Fixed in v1.8.1 BETA
Angeet ES3 KVM CVE-2026-32297 Unauthenticated file upload 9.8 No fix available
Angeet ES3 KVM CVE-2026-32298 OS command injection 8.8 No fix available
Sipeed NanoKVM CVE-2026-32296 Configuration endpoint exposure 5.4 Fixed in v2.3.1
JetKVM JetKVM CVE-2026-32294 Insufficient update verification 6.7 Fixed in v0.5.4
JetKVM JetKVM CVE-2026-32295 Insufficient rate limiting 7.3 Fixed in v0.5.4

A compromised KVM operates below the operating system layer, making it completely invisible to traditional antivirus and host firewall software.

Attackers can inject malicious keystrokes to deploy ransomware, boot systems from hidden removable media to bypass disk encryption, or alter the computer’s startup sequence.

Because KVMs run their own Linux environments, hackers can hide persistent backdoors directly on the device itself.

Security teams must urgently isolate these KVM devices on dedicated management networks and never expose them to the public internet.

Related Articles

Back to top button