A new wave of security research has found serious flaws in low-cost IP-KVM (Keyboard, Video, Mouse) devices, which is very worrying for businesses This article explores ip kvm compromises. . These devices, which usually cost between $30 and $100, are becoming more popular for managing systems from afar.

However, attackers are now using them as weapons to get deep, hardware-level access. Risk of Control at the BIOS Level IP-KVM compromises work below the operating system, which is different from other types of software attacks. This lets attackers directly control a system's keyboard, mouse, and display at the BIOS level. Because of this, they can completely get around antivirus software, endpoint security tools, and host-based firewalls.

If one KVM device is hacked, it can give full access to all the other machines that are connected to it.

Attackers can run commands, change the way a computer boots up, spread ransomware, or even launch attacks using virtual media without being caught. Eclypsium says that the number of IP-KVM devices that are connected to the internet has skyrocketed from 404 in June 2025 to more than 1,600 by January 2026. This big jump shows that a lot of people are using it without enough security measures.

The flaws are due to basic security problems in how the device was designed and built. Some common problems are: Not enough ways to check that firmware is safe Debug and serial interfaces that are open Weak or no brute-force protection Cloud provisioning processes that aren't safe Attackers can also put persistent backdoors directly on the hardware because these devices run embedded Linux systems. The study found nine weaknesses in four vendors: GL-iNet, Angeet, Sipeed, and JetKVM.

Vendor Product CVE Vulnerability CVSS Status GL-iNet Comet RM-1 CVE-2026-32290 Not enough verification of the firmware 4.2 No fix is planned Comet by GL-iNet RM-1 CVE-2026-32291 UART root access 7.6 No fix is planned CVE-2026-32292 for GL-iNet Comet RM-1 Not enough protection against brute-force attacks 5.3 Fixed in v1.8.1 BETA GL-iNet Comet RM-1 CVE-2026-32293 Cloud provisioning that isn't safe at first 3.1 Fixed in v1.8.1 BETA Angeet ES3 KVM CVE-2026-32297 9.8: Unauthenticated file upload—no fix available Angeet ES3 KVM CVE-2026-32298 OS command injection 8.8 No fix yet for Sipeed NanoKVM CVE-2026-32296 Exposing the configuration endpoint 5.4 Fixed in v2.3.1 JetKVM JetKVM CVE-2026-32294 Not enough checking of updates 6.7 Fixed in v0.5.4 JetKVM JetKVM CVE-2026-32295 7.3 Fixed in v0.5.4 for not limiting rates enough The Angeet ES3 KVM has the worst problem, which is that attackers can upload any files they want without having to log in.

Attack Scenarios in the Real World After being used, attackers can: Put keystrokes in to install malware or ransomware Start systems from bad remote media without having to decrypt the disk Change the BIOS settings to keep things going. Watch or stop sensitive operations as they happen Traditional detection tools don't work because all actions happen below the OS. IP-KVM devices should be seen as high-risk infrastructure by security teams.

Things you should do include: Keep KVMs separate from other management networks. Never let them connect directly to the internet. As soon as possible, install any available firmware updates. Turn off interfaces you don't need, like UART and wireless configuration.

Make sure that strong authentication and network segmentation are in place. These results show that enterprise security is becoming less effective. As businesses start using less expensive hardware, hackers are targeting these parts that are often ignored to take full control of important systems.

Make ZeroOwl your favorite source in Google.