Remote infrastructure management has expanded rapidly across enterprise and home lab environments, putting low-cost IP KVM devices on millions of networks — often with little scrutiny applied to their security baseline.
Nine vulnerabilities spanning four separate products have now been identified by Eclypsium researchers, affecting the GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM. The most severe flaws allow unauthenticated actors to gain root access or execute arbitrary code on connected systems.
Researchers Paul Asadoorian and Reynaldo Vasquez Garcia described the underlying problems as systemic. “The common themes are damning: missing firmware signature validation, no brute-force protection, broken access controls, and exposed debug interfaces,” they wrote in their analysis.
Because IP KVM devices operate at the BIOS/UEFI level — providing full control over a machine’s keyboard input, video output, and mouse before the operating system even loads — a successful attack bypasses virtually every software-based security control in place. An attacker can inject keystrokes, boot from removable media to circumvent disk encryption or Secure Boot, unlock access past lock screens, and do all of this without triggering any detection at the OS layer.
What makes the findings particularly pointed is the nature of the flaws themselves. According to the announcement, these are not complex zero-days. “These are fundamental security controls that any networked device should implement,” the researchers stated. “Input validation. Authentication. Cryptographic verification. Rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to.”
A Persistent Threat Beyond Initial Compromise
Eclypsium emphasized that a compromised KVM presents a fundamentally different risk profile from a typical compromised network device. Attackers can embed tools and backdoors directly in the KVM firmware, allowing them to re-infect host machines even after those systems have been cleaned and remediated. Since most of the affected devices lack firmware signature verification, the firm also warned that a supply-chain attacker could tamper with firmware at the point of distribution and have it persist indefinitely across deployments.
More Read
This disclosure does not arrive in isolation.
In July 2025, Russian cybersecurity firm Positive Technologies flagged five separate vulnerabilities — CVE-2025-3710 through CVE-2025-3714 — in ATEN International switches, exposing those devices to denial-of-service attacks and remote code execution. Separately, IP KVM products including PiKVM and TinyPilot have been used by North Korean IT workers based in countries such as China to remotely access company-issued laptops held on so-called laptop farms.
Recommended Mitigations
The report outlines several defensive steps: enforce multi-factor authentication where the device supports it, isolate KVM hardware on a dedicated management VLAN, restrict internet-facing access, use tools like Shodan to audit external exposure, monitor for anomalous network traffic to and from these devices, and maintain current firmware versions.
Eclypsium’s researchers have disclosed their findings to the affected vendors and are working with them toward remediation.
Photo by Brett Sayles on Pexels
This article is a curated summary based on third-party sources. Source: Read the original article
