What happened
Researchers at Eclypsium uncovered nine vulnerabilities across four low-cost IP-KVM devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM, flaws that could give attackers BIOS-level control over connected systems and bypass operating system security controls and EDR tools. The most severe issues affect the Angeet/Yeeso ES3 KVM, where an unauthenticated file upload flaw (CVE-2026-32297) can be chained with an OS command injection bug (CVE-2026-32298) to achieve pre-authentication remote code execution with root privileges. The researchers also found weak firmware verification, exposed debug interfaces, broken access controls, and insufficient rate limiting across the affected products, while internet scans identified more than 1,600 of these devices exposed online.Â
Who is affected
Organizations using the affected IP-KVM devices in enterprise, lab, or remote management environments are affected, particularly those with devices exposed directly to the internet or deployed without segmented management networks.Â
Why CISOs should care
Because IP-KVM devices operate below the host operating system, compromise can give attackers the equivalent of physical access to connected machines, enabling BIOS changes, boot manipulation, and control that remains invisible to host-based security tools.Â
3 practical actions
- Isolate IP-KVM devices on dedicated management networks. Systems should be placed on separate VLANs and never exposed directly to the internet.Â
- Restrict access with strong authentication and VPNs. Administrative access should be tightly controlled to reduce exposure of out-of-band management systems.Â
- Inventory devices and apply firmware updates. Review environments for undocumented KVM devices and update affected products when vendor patches are available.Â
For more coverage of newly disclosed security flaws, explore our reporting under the Vulnerabilities tag.
