Low‑cost KVM holes

Eclypsium published a technical write-up on March 17, 2026 documenting nine vulnerabilities across four inexpensive IP‑KVM products. (eclypsium.com) The affected models named by researchers are GL‑iNet Comet (RM‑1), Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM. (thehackernews.com) Two flaws in the Angeet ES3 were flagged as the most severe: CVE‑2026‑32297 (CVSS 9.8) and CVE‑2026‑32298 (CVSS 8.8), with researchers reporting no available fixes for those entries at disclosure. (thehackernews.com) Researchers identified systemic failures—missing firmware signature validation, no brute‑force protections, broken access controls, and exposed debug interfaces—that enable unauthenticated root access or arbitrary code execution. (thehackernews.com) Investigators noted these single‑port IP‑KVMs typically retail for $30–$100 and are marketed to homelabbers, MSPs, small IT shops and per‑machine remote access use cases in branch or campus environments. (eclypsium.com) Some vendors have issued fixes: JetKVM’s update verification and rate‑limiting fixes landed in version 0.5.4, and Sipeed released NanoKVM patches (NanoKVM 2.3.1 and NanoKVM Pro 1.2.4), while GL‑iNet listed planned fixes and a 1.8.1 BETA addressing several issues. (thehackernews.com) Eclypsium warned that KVM compromise grants BIOS‑level capabilities—BadUSB keystroke injection, remote boot from emulated media to bypass Secure Boot or disk encryption—and cited related FBI and Microsoft attention to IP‑KVM abuse. (eclypsium.com)