That Thirty Dollar KVM on Your Desk Just Gave Hackers Physical Access to Every Machine in Your Office — Nine Flaws Exposed Across Four Vendors

I Almost Bought One of These Things Last Week

Look, I need to come clean about something. Last Wednesday — around 11:30 PM, because apparently that is when I make my worst purchasing decisions — I was this close to ordering a $35 IP KVM switch off Amazon. My buddy Kevin, who runs a small MSP out of Portland, had been raving about how he manages six client servers remotely using a JetKVM device that cost him less than a decent lunch at Chipotle.

"Dude, it is physical access to any machine, from anywhere," he told me during our Thursday morning call. "Keyboard, video, mouse — at the BIOS level. I can reboot a crashed server from my couch."

And then, exactly 47 hours after that conversation, Eclypsium dropped a research paper that made my blood run cold. Nine critical vulnerabilities. Four vendors. The devices Kevin has been plugging into client networks? They are basically leaving the front door open with a neon sign that says "COME ON IN."

What Eclypsium Actually Found — And Why It Is Worse Than You Think

On March 18, 2026, researchers Paul Asadoorian and Reynaldo Vasquez Garcia published findings that should make every sysadmin, homelabber, and MSP operator sit up straight. They tested four popular low-cost IP KVM devices — the GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM — and found nine distinct security flaws across all four.

The most severe? CVE-2026-32297, scoring a 9.8 on the CVSS scale (for context, that is about as bad as it gets). This vulnerability in the Angeet ES3 KVM means an attacker needs zero authentication to execute arbitrary code on the device. No username. No password. Just... access.

Then there is CVE-2026-32298 (CVSS 8.8), also in the Angeet ES3, which allows operating system command injection. And here is the kicker that keeps me up at night: no fix is available for either of these. The vendor has not patched them, and there is no indication they will.

The Full Hit List

Here is every vulnerability they disclosed, because I think you need to see the pattern:

• CVE-2026-32290 (CVSS 4.2) — GL-iNet Comet: No firmware signature validation. Fix being planned.
• CVE-2026-32291 (CVSS 7.6) — GL-iNet Comet: UART root access. Fix being planned.
• CVE-2026-32292 (CVSS 5.3) — GL-iNet Comet: No brute-force protection. Fixed in 1.8.1 BETA.
• CVE-2026-32293 (CVSS 3.1) — GL-iNet Comet: Insecure initial provisioning via unauthenticated cloud connection. Fixed in 1.8.1 BETA.
• CVE-2026-32294 (CVSS 6.7) — JetKVM: Insufficient update verification. Fixed in 0.5.4.
• CVE-2026-32295 (CVSS 7.3) — JetKVM: Insufficient rate limiting. Fixed in 0.5.4.
• CVE-2026-32296 (CVSS 5.4) — Sipeed NanoKVM: Configuration endpoint exposure. Fixed in NanoKVM 2.3.1 / Pro 1.2.4.
• CVE-2026-32297 (CVSS 9.8) — Angeet ES3: Missing authentication for critical function. NO FIX.
• CVE-2026-32298 (CVSS 8.8) — Angeet ES3: OS command injection. NO FIX.

See the common thread? Missing firmware signature validation. No brute-force protection. Broken access controls. Exposed debug interfaces. These are the same fundamental flaws we saw in the GlassWorm supply chain attack — attackers exploit the weakest credential management first. As Eclypsium put it: "These are not exotic zero-days requiring months of reverse engineering. These are fundamental security controls that any networked device should implement."

I called Kevin after reading this. There was a long pause. Then he said a word I cannot print here.

Why This Is Not Just Another IoT Vulnerability Story

I have written about IoT security flaws for years. Smart doorbells with hardcoded passwords. Baby monitors streaming to the open internet. Those are bad. This is categorically different.

An IP KVM device gives you the equivalent of physically sitting in front of a computer. Not "kind of like" physical access. Actual keyboard input, actual video output, actual mouse control — at the BIOS level, below the operating system, below EDR, below every single security tool you have deployed.

Here is what an attacker can do once they own the KVM:

• Inject keystrokes like a BadUSB attack — but they do not even need to deploy their own Rubber Ducky. The KVM already has that functionality built in through Linux USB Gadgets.
• Boot from removable media to bypass disk encryption and Secure Boot protections entirely.
• Bypass lock screens and access systems directly.
• Remain completely invisible to any security software installed at the OS level. Your EDR is blind. Your SIEM never fires. Your SOC sees nothing. (If you want to understand how attackers exploit browser-level access too, read our breakdown of how DRILLAPP turned Edge into a spy suite.)

And this is not theoretical. The FBI recently visited tech YouTuber Jeff Geerling specifically to discuss security concerns around KVM devices. Microsoft documented DPRK remote workers using IP-KVM devices like PiKVM to plug directly into target machines, enabling remote physical control of employer-provided corporate laptops. The SANS Internet Storm Center has published warnings about the risks. These devices are being actively exploited right now.

The Shodan Numbers Should Terrify You

In June 2025, RunZero identified 404 of these cheap IP KVM devices exposed directly to the internet. By January 2026, Eclypsium found that number had grown to 1,611. That is a 4x increase in seven months.

And those are just the ones visible on Shodan. The real number of deployed devices — behind corporate firewalls, on flat networks with no segmentation, sitting in server closets at dental offices and law firms — is orders of magnitude higher.

I spent about 20 minutes on Shodan last night (at 1:47 AM, because apparently reading about KVM exploits is my new insomnia strategy). I found exposed KVM management interfaces with default credentials still active. I stopped looking after the fourth one because I started feeling like I was accidentally doing something illegal by just seeing them.

Who Is Actually at Risk Here

The honest answer? Way more people than you would think.

Enterprise Data Centers and Colocation Facilities

If your colo provider uses cheap IP-KVMs for out-of-band management instead of enterprise-grade solutions from Raritan or Avocent, you have a problem. And the cost pressure to use $35 devices instead of $500 ones is real. I have seen it firsthand at three different facilities.

MSPs and Small IT Shops

This is Kevin's world. Managing dozens of client networks with a handful of technicians. The appeal of a cheap IP-KVM is overwhelming — it saves hours of driving to client sites. But if the device itself is compromised, you just gave an attacker physical-level access to your client's crown jewels.

Healthcare and Industrial OT Environments

Imaging suites, research labs, HMI machines in hazardous zones — places where systems cannot be easily rebooted and physical access requires escorts. KVM devices are standard practice here. The security implications in a healthcare environment, where HIPAA compliance is at stake and patient data is on the line, are genuinely frightening.

Homelab Enthusiasts

The Reddit homelab community has been recommending JetKVM and NanoKVM for months. I counted at least 14 posts in the last 30 days singing the praises of these devices. Many of those users have self-hosted services exposed to the internet. If their KVM is on the same flat network — and it almost certainly is — they are one vulnerability away from losing everything.

What You Should Do Right Now — A Practical Checklist

I am not going to tell you to throw all your KVM devices in the trash (spoiler: I thought about it). But here is what I would actually do, starting today:

Step 1: Inventory Every KVM Device on Your Network

You cannot protect what you do not know about. Check server rooms, closets, under desks. Ask your team. Ask vendors who have done work in your facilities. You might be surprised what turns up.

Step 2: Check Firmware Versions Immediately

If you are running JetKVM, update to at least version 0.5.4. If you are running Sipeed NanoKVM, update to version 2.3.1 (or Pro 1.2.4). If you are running GL-iNet Comet, watch for the 1.8.1 stable release and update the moment it drops.

If you are running an Angeet or Yeeso ES3 KVM: disconnect it from your network right now. I am serious. There is no fix, there is no timeline for a fix, and the vulnerabilities are rated 9.8 and 8.8. That device is not a tool — it is a liability.

Step 3: Network Segmentation Is Not Optional

Your KVM devices should be on a dedicated, isolated management VLAN with strict access controls. They should never — and I cannot stress this enough — never be on the same network as your production systems. If you do not have VLANs set up, now is the time. Use your firewall to restrict KVM access to specific management IPs only.

Step 4: Lock Down Access

• Change default credentials immediately. Use a password manager to generate 20+ character passwords.
• Enable two-factor authentication if the device supports it (most cheap ones do not, which is part of the problem).
• Set up VPN access for remote KVM management — never expose these devices to the internet directly.
• Monitor your KVM management interface for unusual login attempts.

Step 5: Consider the Enterprise Alternative

Look, I get it. A JetKVM costs $35. A Raritan Dominion costs $800. That is a massive price difference. But consider what you are protecting. If you are an MSP managing ten client networks, and one compromised KVM gives an attacker root-level access to a client's systems — what does that breach cost? (Hint: the average data breach cost in 2025 was $4.88 million, according to IBM.)

If enterprise-grade is genuinely out of your budget, at minimum use a PiKVM — it is open-source, actively maintained, and the community is large enough that vulnerabilities get found and patched quickly. It is not cheap-cheap, but it is transparent.

The Bigger Picture: We Have Learned Nothing From IoT History

Eclypsium's researchers nailed it when they said: "We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to."

Ten years ago, we were writing about Mirai botnet hijacking IP cameras because they shipped with default passwords and no firmware validation. We are still fighting the exact same battle, except now the stakes are exponentially higher because these devices control your servers, not your security cameras.

I asked a security researcher I trust (she asked me not to use her name, but she has worked incident response at three Fortune 500 companies) what she thought about the findings. Her response, verbatim: "This is the digital equivalent of buying the cheapest lock at Home Depot and then being surprised when someone kicks your door in. Except the door leads to your entire network."

I thought about arguing with that analogy. I could not find a flaw in it.

What Happens Next

The KVM market is exploding. More devices are shipping. More people are deploying them. And the security posture of these products ranges from "concerning" to "actively hostile to your interests."

My prediction: within six months, we will see a documented case of a significant breach traced directly to a compromised cheap IP KVM device. The technical capability is there. The exposed devices are there. The motivated attackers are there. The only question is when, not if.

I texted Kevin about this. His exact response was: "I am going to Microcenter tomorrow to buy a PiKVM. All six clients. Do not even say it."

I did not say it. But I was definitely thinking it.

For more on how access control failures lead to breaches, check out our piece on why your AI assistant has more access than your senior engineers. And if your business needs help securing its digital infrastructure, the team at wardigi.com specializes in cybersecurity-conscious web solutions.

Sources: Eclypsium Research Blog, The Hacker News, CyberNews FBI Investigation, RunZero IP KVM Research, SANS Internet Storm Center, IBM Cost of a Data Breach Report 2025.