Security 4 KVM vendors, 9 vulns – including an unfixed CVSS 9.8 All the joy of physical-presence vulnerabilities but remotely, and many cheap, single-port IP-KVMs are wide open, says Eclypsium. Phillip de Wet Mar 17, 2026 - 2 min read Photo by ABDULLAH AL RAYHAN on Unsplash Consumer-grade IP KVM (Keyboard, Video, Mouse) devices that are increasingly popular are a security nightmare, researchers from Eclypsium said on Tuesday. Reynaldo Vasquez Garcia and Paul Asadoorian reported finding a total of nine vulnerabilities across devices from four different vendors. One rates as a CVSS 9.8, another comes in at 8.8, and neither has been fixed. The vendor Angeet/Yeeso, responsible for those flaws, had not committed to fixing them at the time of public disclosure. The price of cheap Rack-mounted, multi-port, and quite expensive KVM-over-IP has been around for years, offering the next best thing to actually sitting in front of a machine for purposes up to and including messing with BIOS settings. Single-port KVMs are a newer phenomenon, with prices as low as $30, appealing to "homelabbers, small IT shops, MSPs," said the researchers , as well as increasingly "enterprises seeking per-machine out-of-band access." Per-machine KVMs are sometimes used for branch offices or edge computing to run dedicated VMs for local services without central orchestration, offering isolation and flexibility on modest hardware. Under the hood these KVMs have several hallmarks of terrible security engineering, said Eclypsium: "missing firmware signature validation, no brute-force protection, broken access controls, and exposed debug interfaces." Get the full story: Subscribe for free Join peers managing over $100 billion in annual IT spend and subscribe to unlock full access to The Stack’s analysis and events. Subscribe now Already a member? Sign in Older Post Newer Post