Researchers have found nine vulnerabilities in four popular low-cost KVM-over-IP devices, ranging from unauthenticated command injection to weak authentication defenses and insecure firmware updates. The flaws are particularly concerning given the growing presence of such devices in business environments, whether deployed intentionally by IT administrators and managed service providers or introduced as shadow IT.
KVM-over-IP devices enable users to control computers remotely as if they were physically present, with full keyboard, video, and mouse access, including at the BIOS level when the OS is not running. Enterprises have long relied on rack-mounted multi-port KVM switches that include security features such as multi-factor authentication, encryption, and logging but cost hundreds or thousands of dollars.
In recent times, smaller businesses and IT teams operating on tight budgets have increasingly turned to a new class of compact, Linux-based, single-port KVM devices that offer the same access at a fraction of the cost. However, the quality of their firmware and access controls are not nearly as strong.
Researchers from security firm Eclypsium analyzed several of these cheap models in recent months and found lack of brute-force protections for authentication, insecure firmware update mechanisms, exposed debugging interfaces, and unauthenticated vulnerabilities that can lead to full device takeover.
The number of such devices exposed directly to the internet has grown from a few hundred less than a year ago to over 1,600, according to Eclypsium. That might not sound like a big number, but users of these devices range from small IT shops and MSPs to enterprises that span many industry verticals.
“Enterprise data centers and colocation facilities use IP-KVMs for remote server management,” the Eclypsium researchers said. “Industrial and OT environments deploy them to manage HMI machines in hazardous zones. Healthcare facilities use them for systems in imaging suites and research labs that cannot be easily rebooted. Government and defense installations rely on them for mission-critical servers where physical access requires escorts and approvals.”
Basic oversights
The nine vulnerabilities impact devices from GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM.
The most severe flaw, with a 9.8 CVSS, was found in the Angeet/Yeeso ES3 KVM and allows any attacker with network access to write arbitrary files to the device via an unprotected upload endpoint. Chained with a separate command injection flaw, it creates the premise for pre-authentication remote code execution with root privileges. Angeet has committed to fixing the flaws but has not provided a timeline to Eclypsium.
The GL-iNet Comet RM-1 has four vulnerabilities, including a lack of brute-force protection for authentication and insecure connection during provisioning. The device also uses the easy-to-crack MD5 hash function for its firmware update mechanism and no cryptographic signature. As a result, attackers could potentially create backdoored firmware images that the device would accept.
Separately, the device’s UART serial interface provides unauthenticated root access to anyone with physical access to the device. GL-iNet has issued partial fixes in a beta release but has no planned fix for firmware signing or UART authentication.
JetKVM, one of the most popular devices in the low-cost KVM segment, also used an over-the-air (OTA) update mechanism that relied on SHA-256 hashes without cryptographic signatures and no brute-force protection on its single-password login. Both flaws have been patched.
Sipeed’s NanoKVM had an unauthenticated WiFi configuration endpoint that could be exploited to hijack the device’s network connection. The flaw has now been patched.
“These are not exotic zero-days requiring months of reverse engineering,” the Eclypsium researchers said. “These are fundamental security controls that any networked device should implement: Input validation, authentication, cryptographic verification, rate limiting. We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to.”
Stealthy backdoors
A compromised KVM device can become a powerful backdoor in any environment. An attacker can inject keystrokes to execute commands or access UEFI settings to disable security features such as disk encryption and Secure Boot.
Because the device operates outside the controlled system’s OS, endpoint detection tools and host firewalls cannot see it. These devices run their own Linux-based firmware, allowing attackers to hide malware and re-infect connected systems even after disk wipes.
“Compromising a KVM device gives an attacker the equivalent of physical access to every machine connected to it,” the Eclypsium researchers warned. “Not ‘kind of like’ physical access. Actual keyboard, video, and mouse control, at the BIOS level, below the operating system, below EDR, below every security control you have deployed.”
North Korean spies posing as remote workers have used PiKVM devices connected to laptops and workstations provided to them by employers to fake their physical presence in different countries and gain access to corporate networks.
Enterprise-grade KVM switches are not immune to vulnerabilities either. ATEN, one of the leading vendors, patched critical buffer overflow vulnerabilities in some of its products last year. Baseband Management Controller (BMC) interfaces, another type of out-of-band management technology that is common in server products, have been plagued by vulnerabilities for years and some were even exploited to deploy rootkits.
Eclypsium advises organizations to isolate KVM devices on dedicated management VLANs, never expose them directly to the internet, deploy two-factor authentication when available, and use VPN solutions to access them. Companies should also audit their networks for KVM devices that they might not be aware of and deploy firmware updates when available.
“Audit your KVM deployments,” the researchers wrote. “Know what you have, where it is, and what firmware it is running. These devices are the keys to your kingdom, and right now, too many of them are hanging on the network with the door wide open.”