IP KVM Vulnerabilities: $30 Devices Can Compromise Networks | Ars Technica

March 25, 2026 Rachel Kim – Technology Editor Technology

Security researchers have disclosed nine vulnerabilities in low-cost IP KVM (Keyboard, Video, Mouse) devices, potentially granting attackers unfettered access to critical network infrastructure. The devices, typically priced between $30 and $100, allow administrators remote access to computer systems at the BIOS/UEFI level – before the operating system even loads – and are manufactured by GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM.

The vulnerabilities, revealed Tuesday by the cybersecurity firm Eclypsium, range in severity but include flaws allowing unauthenticated hackers to gain root access or execute arbitrary code on compromised systems. According to Eclypsium researchers Paul Asadoorian and Reynaldo Vasquez Garcia, the issues are not the result of complex, previously unknown exploits. “These are not exotic zero-days requiring months of reverse engineering,” they wrote in a blog post. “These are fundamental security controls that any networked device should implement.”

IP KVMs are designed to provide convenient remote management of servers and other hardware, eliminating the need for physical presence. Although, this deep level of access, combined with often lax security configurations, creates a significant risk. The devices are frequently exposed directly to the internet, making them attractive targets for malicious actors. A successful compromise can bypass traditional endpoint security measures, including antivirus software and firewalls, as the attack occurs below the operating system level, according to Cyberpress.org.

The most critical vulnerabilities appear to reside in Angeet/Yeeso ES3 KVM devices. CVE-2026-32297, with a CVSS score of 9.8, allows unauthenticated users to read arbitrary files, although CVE-2026-32298 (score 8.8) enables command injection at the operating system level. Notably, patches for these vulnerabilities are currently unavailable.

GL-iNet Comet RM-1 devices are also affected, with four identified bugs. These include insufficient verification of firmware authenticity (CVE-2026-32290, score 4.2), root access via UART (CVE-2026-32291, score 7.6), weak brute-force protection (CVE-2026-32292, fixed in beta version v1.8.1), and insecure initial setup via an unauthenticated cloud connection (CVE-2026-32293, also fixed in the beta version). Sipeed NanoKVM devices received a patch in version v2.3.1, and JetKVM addressed two bugs (CVE-2026-32294 and CVE-2026-32295) in version 0.5.4.

Researchers draw parallels between the security failings of IP KVMs and those of early Internet of Things (IoT) devices, characterized by low cost, rapid deployment, and inadequate security measures. However, the potential consequences of an IP KVM compromise are far more severe, granting attackers what Eclypsium describes as “the equivalent of physical access to everything it connects to.” Netcrook.com reports that the vulnerabilities could provide hackers with a “backstage pass to the heart of corporate infrastructure.”

The vulnerabilities underscore the risks associated with deploying devices with broad administrative access without implementing robust security protocols. The ease with which attackers can exploit these flaws raises concerns about the security posture of organizations relying on IP KVMs for remote server management.