9 IP-KVM flaws expose four vendors to root access and remote takeover risks

Security researchers have disclosed nine vulnerabilities across four low-cost IP-KVM vendors, warning that some of the flaws can let attackers gain root access or run code with little or no authentication. Eclypsium said the affected products are the GL.iNet Comet RM-1, Angeet or Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM.

That matters because IP-KVM devices do far more than ordinary network gear. They sit below the operating system and can control a machine’s keyboard, video, and mouse at the BIOS or UEFI level. Eclypsium said a compromised KVM can give an attacker the equivalent of physical access, including the ability to inject keystrokes, boot from removable media, or bypass security controls that operate inside the OS.

The most serious issues affect the Angeet or Yeeso ES3 KVM. Eclypsium lists CVE-2026-32297 with a CVSS 3.1 score of 9.8 for unauthenticated arbitrary file write that can lead to code execution, and CVE-2026-32298 with a score of 8.8 for OS command injection. Eclypsium says there is currently no fix available for either issue.

Other findings hit firmware security and basic access controls. On GL.iNet’s Comet RM-1, Eclypsium reported flaws involving insufficient firmware authenticity verification, UART root access, weak brute-force protection, and insecure initial provisioning. On JetKVM, the researchers found insufficient update verification and weak rate limiting. On Sipeed NanoKVM, they identified a configuration endpoint exposure bug.

The patch picture looks mixed. Eclypsium says JetKVM fixed its two issues in version 0.5.4, Sipeed fixed its vulnerability in NanoKVM 2.3.1 and NanoKVM Pro 1.2.4, and GL.iNet fixed two bugs in version 1.8.1 beta while fixes for two others are still being planned. The Angeet or Yeeso ES3 flaws remain the most concerning because no vendor fix is available yet.

Affected devices and patch status

Why these flaws stand out

Eclypsium argues these are not niche bugs that require deep reverse engineering. The researchers said the problems come from basic security failures such as broken access controls, missing firmware signature checks, exposed debug interfaces, and a lack of brute-force protection. In other words, many of the weaknesses reflect security hygiene issues that should already be standard in internet-connected management hardware.

The bigger risk comes from device position, not just CVSS numbers. A vulnerable smart plug or camera can still be dangerous, but a vulnerable IP-KVM can directly mediate access to the machines it controls. That means an attacker who compromises the KVM may be able to re-infect hosts after cleanup, hide tooling on the device itself, or operate below endpoint security products. That conclusion comes from Eclypsium’s description of how KVM compromise works.

Eclypsium also noted that internet exposure is rising. Its researchers said runZero identified 404 of these devices exposed to the public internet in June 2025, while Eclypsium found 1,611 by January 2026. That trend suggests the attack surface has grown quickly as cheap single-port KVM products spread beyond homelabs into MSPs, data centers, and industrial environments.

What admins should do now

• Move IP-KVM devices off the public internet and isolate them on a dedicated management VLAN.
• Apply available firmware updates, especially JetKVM 0.5.4, NanoKVM 2.3.1 or Pro 1.2.4, and GL.iNet 1.8.1 beta where appropriate.
• Enable MFA where the product supports it.
• Restrict inbound access and check for external exposure with internet scanning tools such as Shodan, as Eclypsium recommends.
• Treat unpatched Angeet or Yeeso ES3 units as high risk until the vendor releases fixes. This is an inference from the two unfixed high-severity issues and their impact.

FAQ