4 KVM Vendors, 9 Vulns – Including an Unfixed CVSS 9.8

The rapid adoption of low‑cost, consumer‑grade IP KVMs reflects a broader trend toward decentralized IT infrastructure. Traditionally, KVM‑over‑IP solutions were expensive, rack‑mounted appliances used by data centers for out‑of‑band management. Today, single‑port devices priced under $30 target homelabbers, managed service providers, and even enterprise branches seeking inexpensive remote console access. This democratization expands the attack surface, as many organizations deploy devices without rigorous security vetting.

Eclypsium’s research reveals nine distinct vulnerabilities spanning four manufacturers, with two critical bugs scoring 9.8 and 8.8 on the CVSS scale. The flaws stem from fundamental engineering oversights: firmware lacks cryptographic signature checks, brute‑force login attempts are unlimited, access controls are improperly enforced, and debug interfaces remain exposed. Crucially, the most severe issues have not been patched, and the responsible vendor, Angeet/Yeeso, has offered no remediation timeline, leaving networks exposed to remote takeover or BIOS manipulation.

For businesses, the implications are immediate and severe. A compromised KVM can bypass traditional network defenses, granting attackers low‑level hardware control and persistence across reboot cycles. Organizations must reassess the risk of deploying inexpensive KVMs, enforce strict inventory controls, and demand signed firmware updates from vendors. Investing in vetted, enterprise‑grade solutions or implementing network segmentation for out‑of‑band devices can mitigate the threat while preserving the operational benefits of remote console access.