A critical vulnerability (CVE-2026-32298, CVSS 9.1) in certain IP KVM devices allows unauthenticated attackers to inject root commands via an unsanitized configuration script, granting BIOS-level control over connected machines. Another high-severity flaw (CVE-2026-32297, CVSS 7.5) enables arbitrary file uploads to the device. These low-cost, internet-connected KVMs operate below the OS at the UEFI level, evading traditional endpoint security, and widespread fundamental security failures like missing firmware validation and broken access controls make them a significant attack vector.
Critical Infrastructure Security , Endpoint Security , Governance & Risk Management Cheap and Dangerous: IP KVMs Carry Flaws Internet-Connected Remote Access Tools Operate at UEFI Level Greg Sirico • March 17, 2026 Credit Eligible Get Permission Image: Shutterstock A flood of lost-cost devices for remote IP control of servers or human-machine interfaces has roused a concomitant wave of security warnings about their security defects. See Also: A Legal Services Firm Needed a Modern Remote Work Strategy. Choosing Venn over a Virtual Desktop Changed Everything. KVM - "keyboard, video, mouse" - devices operate at the UEFI level of computing devices, in contrast to remote management tools that require an already loaded operating system. Their appeal for remote management is palpable, whether because they eliminate a long drive to the data center or allow an engineer to access a human-machine interface without exposure to unsafe surroundings. Not so long ago, KVMs were rack-mounted and expensive. Now they're cheap and abundant - to be had for less than $100. They're gaining recognition as a vector for cyberattacks. Breach a KVM and a hacker can operate below the operating system and out of sight of traditional security tools, endpoint detection and response tools or antivirus software. "Compromising a KVM device gives an attacker the equivalent of physical access to every machine connected to it. Not 'kind of like' physical access. Actual keyboard, video and mouse control, at the BIOS level," warns firmware security firm Eclypsium in a Tuesday blog post. "These are basically small computers running Linux. Once they control that pivot point, attackers can inject keystrokes, boot into BIOS or safe mode and constantly reinfect the host system," said Paul Asadoorian, principal security researcher at Eclypsium. "There's a lot more of these devices hitting the market at a lower cost than initially thought," Asadoorian told Information Security Media Group. Eclypsium probed devices made by four KVM vendors, discovering nine vulnerabilities. "The common themes are damning: missing firmware signature validation, no brute-force protection, broken access controls and exposed debug interfaces. These are fundamental security hygiene failures," the firm wrote. Not all manufacturers approached by Eclypsium committed to patching the issues. The most serious vulnerability, tracked as CVE-2026-32297 , affects the ES3 KVM model made by manufacturer Angeet, which also sells devices under the Yesso brand. The vulnerability exposes an endpoint for uploading, meaning an unauthenticated hacker with network access could write arbitrary files to the device. Another flaw, CVE-2026-32298 , allows an unauthenticated attack to inject root commands through the conf.lua configuration script because the device doesn't sanitize inputs. Eclypsium said Angeet committed to fixing the flaws but did not provide a timeline. Elcypsium is not the first security firm to warn about KVMs. In a June 2025 blog post , runZero detected a slew of flaws in the latest wave of KVMs such as charging users for authentication features, unresolved software flaws and overly-verbose disclosures about configuration settings. KVMs have also generated unease for their use by North Korean IT workers, who have deployed them onto company-issued laptops managed by laptop farm managers in order to mask their actual location (see: How to Spot a North Korean Job Candidate ). Although a widespread threat campaign has yet to be observed exploiting the vulnerabilities, Asadoorian says it's only a matter of time before attackers target them. "As this becomes more popular and gets on attacker's radar they'll say, 'let me see if any are exposed to the internet,'" Asadoorian said, because "KVMs are such a great place to hide." Critical Infrastructure Security Endpoint Security Governance & Risk Management Remote Workforce Security Operations Credit Eligible Get Permission Previous Telehealth Firm to Be Barred From Data Exchanges Next House Panel Warns of Chinese AI Robotics Threat About the Author Greg Sirico Copy Editor, Global Copy Desk Sirico began his career in 2018 at his local publication, the Asbury Park Press. From 2021 to early 2025, Sirico served as an editor at Best Lawyers, collaborating with top-tier publications such as The Wall Street Journal, Bloomberg Law and Handelsblatt. You might also be interested in … ► Re-Imagining How we Approach Workforce Identity Security A Modern Approach to Data Security Real-World Strategies for Securing Remote Workforces and Data 2024 Threat Hunting Report: Insights to Outsmart Modern Adversaries The Forrester Wave™: Operational Technology Security Solutions, Q2 2024 Alleviating Compliance Pain Points in the Cloud Era 2024 Threat Landscape: Data Loss is a People Problem The State of Asset Security: Uncovering Alarming Gaps & Unexpected Exposures runZero Recognized as a Customers' Choice in 2024 Gartner® Peer Insights™ Report for CAASM