9 Critical IP KVM Flaws Enable Unauthenticated Root Access Across Four Vendors

The world of IP KVM devices – those seemingly innocent switches that allow remote control of computers – has just experienced a shock. Nine critical security vulnerabilities discovered by Eclypsium in devices from four manufacturers could give attackers full control over the systems these devices can access. For many Polish companies, especially those operating in IT, manufacturing, or infrastructure management, this is not abstract news – it's a potential security nightmare. The problem is that IP KVMs are extremely popular devices, cheap, and yet almost completely ignored in most security strategies.

This discovery hits the point where network security meets physical infrastructure security. Devices such as GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM have become an integral part of service workshops, data centers, and IT offices worldwide. They are cheap, practical, reliable – and unfortunately, full of security holes. This is a story worth knowing, because it concerns anyone who has remote access to a computer.

Devices that no one protects

IP KVMs exist in a certain security limbo. They are not routers, so they don't make the priority list of network management teams. They are not computers, so they don't fall into standard operating system update procedures. They are peripheral devices that do one thing – allow remote control of a mouse, keyboard, and intercept video signals from another computer. Over the network. Without the need to install additional software on the target machine.

This simplicity is their curse. Companies buy IP KVMs, mount them in server cabinets, connect them to the network – and forget about them. No one updates the firmware, no one changes default passwords, no one restricts access to them in the firewall. They are treated like traditional hardware devices that, once installed, work unchanged for years. In times when every other element of IT infrastructure undergoes regular security updates, IP KVMs remain forgotten relics.

Eclypsium's research shows that this negligence has real consequences. These devices are accessible on the network, sometimes even from the Internet, if the administrator did not apply appropriate filters. And if they are accessible, they are vulnerable to attacks. The problem is not that these are complicated vulnerabilities requiring advanced knowledge – many of them allow unauthenticated root access, meaning access to the system without any passwords or authentication.

Nine vulnerabilities that open doors wide

Eclypsium identified nine separate vulnerabilities in IP KVMs, with their severity ranging from medium to critical. The most serious of these are those that allow unauthenticated root access – in other words, an attacker can take complete control of the device without needing to provide any credentials. This is the worst-case scenario you can imagine in a security context.

The vulnerabilities include:

• Code injection – the ability to send malicious commands that will be executed with root privileges
• Information disclosure – the ability to read sensitive data from the device, such as passwords or configurations
• Authentication bypass – the ability to log in without knowing the correct password
• Unauthorized configuration changes – the ability to modify device settings by third parties

Each of these vulnerabilities is a threat, but together they create a picture of a device that is practically defenseless. An attacker who finds such an IP KVM on the network can take it over in minutes, without any special skills. And once they have taken over the IP KVM, they have access to everything that device can control.

Importantly, these vulnerabilities are not the result of advanced hacking – they are basic code errors, such as hardcoded passwords, lack of input validation, or lack of communication encryption. These are things that should be caught during the simplest security audits. The fact that they made it to production says a lot about how seriously the manufacturers of these devices take security – that is, not seriously at all.

Four manufacturers, one problem

The vulnerabilities affect four different manufacturers, which suggests the problem is systemic, not limited to one market player. GL-iNet, Angeet/Yeeso, Sipeed, and JetKVM are companies with very different profiles – from major industry players to smaller specialists. The fact that all of them have similar problems suggests that either they use the same source code or they all approach security with similar – that is, insufficient – attention.

GL-iNet is a company known primarily for routers, but its IP KVM products are popular in professional environments. Yeeso and Angeet are more niche manufacturers, but their devices are widespread in Asia and increasingly available in European markets. Sipeed and JetKVM are relatively new brands that gained popularity due to low prices and decent functionality. All have one thing in common – insufficient security.

The fact that vulnerabilities affect multiple manufacturers has important security consequences. It means the problem won't be solved quickly by updating one manufacturer. Each company will have to release its own patches, and each administrator will have to apply them independently. In practice, this means that for a longer time there will be many unpatched devices in networks around the world.

From remote access to full system control

To understand why these vulnerabilities are so serious, you need to understand what an IP KVM can do. The device has access to the host's USB port, video port, and network. This means it can emulate a keyboard and mouse, intercept everything that appears on the screen, and potentially install USB devices. This is a very powerful set of permissions.

An attacker who takes over an IP KVM can:

• Intercept all keystrokes – this way they can learn passwords, access codes, sensitive information typed by the user
• Emulate keyboard and mouse – they can send system commands, run programs, open files, everything as if they were sitting in front of the computer
• Intercept video – they can see everything that appears on the screen, including passwords, documents, sensitive data
• Install malicious USB devices – some IP KVMs can emulate USB devices, which allows installation of software, keyloggers, or ransomware

This is not ordinary system access – this is access from the deepest layers of hardware. An antivirus on the computer won't be able to detect this, because the IP KVM operates outside the operating system. A firewall won't be able to block this, because the device is on the network. This is access that is practically impossible to defend against if the IP KVM itself is compromised.

Polish IT infrastructure in the crosshairs

Poland, as a country with a dynamically developing IT sector and increasingly advanced infrastructure, is particularly vulnerable to this type of threat. Many Polish companies – from technology startups to large corporations – use IP KVMs. They are cheap, practical, and no one thinks of them as a security threat. Especially since they are often purchased by IT teams without consulting security teams.

Polish data centers, service workshops, IT offices – everywhere where remote access to computers is needed, IP KVMs are common. And everywhere they are common, they are vulnerable. If an attacker looks for Polish IP KVMs accessible from the Internet, they will definitely find them. Shodan and other scanning tools can do this automatically.

What's worse, many Polish companies don't have procedures for regularly updating IP KVM firmware. These are devices that are installed and then forgotten. No one checks if new versions are available, no one monitors whether there are known vulnerabilities. This is an ideal target for an attacker – a device that is known not to be updated.

Insufficient support from manufacturers

Eclypsium disclosed the vulnerabilities to manufacturers in accordance with a responsible disclosure process. However, the manufacturers' response was – to put it mildly – slow and incomplete. Some manufacturers released patches, but not for all models. Others are still working on fixes. This means that for a long time there will be many devices that remain vulnerable to attacks.

The problem is that IP KVM manufacturers are often small or medium-sized companies that don't have the resources to respond quickly to security threats. They don't have dedicated security teams, they don't have processes for quick patch releases, they don't even have infrastructure for distributing updates. When Eclypsium discovered the vulnerabilities, many manufacturers simply didn't know how to fix them quickly.

This leaves IP KVM administrators in a difficult situation. They can wait for patches from manufacturers – and risk attacks in the meantime. They can try to apply workarounds – for example, by restricting access to IP KVMs in the firewall. But they can't simply "fix" the problem themselves, because they don't have access to the source code.

Temporary solutions and long-term strategies

Until manufacturers release complete patches, administrators should take several steps to reduce risk. First, restrict network access to IP KVMs – they should be accessible only from specific networks, never from the Internet. Second, change default passwords – many IP KVMs have hardcoded passwords, but at least changing them can make the attacker's job harder. Third, monitor network traffic to and from IP KVMs – if there's anything suspicious, it could be a sign of an attack.

In the long term, companies should review their security strategy for peripheral devices. IP KVMs are not the only such devices – there are also network switches, power management servers, monitoring cameras. All these devices are often ignored in security strategies, and all can be attack vectors. Companies should treat them with the same seriousness as computers and servers.

This means regular firmware updates, strong passwords, restricted network access, monitoring, and security audits. It also means choosing manufacturers who take security seriously – who release regular patches, who have vulnerability disclosure processes, who communicate with users about threats. In a world where IP KVMs are ubiquitous, this is not a luxury – it's a necessity.

A lesson for the entire industry

The story of IP KVMs is not a story about three devices that have problems – it's a story about an entire category of devices that are neglected in terms of security. It's a story about how companies buy devices based on price and functionality, not security. It's a story about how IT administrators are overwhelmed and don't have time to check every device on the network. It's a story about how manufacturers prioritize speed to market over security.

Eclypsium's discovery should be a call to action for the entire industry. Manufacturers should invest in security from the start, not add it as an afterthought. Administrators should treat every device on the network as a potential security threat. And companies should have processes that ensure every device is regularly updated and monitored.

For Polish companies, this is an opportunity to review their IT infrastructure and ensure that IP KVMs – if they have them – are secure. It's an opportunity to invest in the security of peripheral devices that are often neglected. It's an opportunity to show that the Polish IT industry takes security seriously. The time to do this is now – before attackers start massively scanning networks looking for vulnerable IP KVMs.