Security researchers have disclosed critical vulnerabilities in IP KVM (Keyboard, Video, Mouse) devices from four manufacturers: GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM. The flaws-ranging from unauthenticated file access to OS command injection-allow potential attackers full control over connected systems.
The most severe flaw, CVE-2026-32297 in Angeet/Yeeso’s ES3 KVM, scores a 9.8 out of 10 on the CVSS scale and currently has no fix available. Other vendors are rolling out patches, but many remain unpatched or rely on beta firmware.
HD Moore, founder of runZero, warned these devices pose systemic risks similar to BMCs-compromising them bypasses traditional network security. A recent scan revealed over 1,300 exposed IP KVMs online, up from 1,000 just months ago.
Experts urge administrators to identify and isolate these devices using network scans, enforce strong passwords, and secure access via trusted VPNs like WireGuard or Tailscale.