Security researchers have identified critical vulnerabilities in IP KVMs, low-cost devices that enable remote access to machines at the BIOS or UEFI firmware level. These flaws, disclosed by Eclypsium, affect products from four manufacturers and allow attackers to execute malicious code or obtain root privileges without authentication.
IP KVMs, typically priced between $30 and $100, are compact devices roughly the size of a deck of cards. Administrators use them to manage network machines remotely, providing control before the operating system loads. This capability offers convenience but also introduces significant risks if misused by insiders or external hackers.
Eclypsium’s team, including researchers Paul Asadoorian and Reynaldo Vasquez Garcia, detailed nine vulnerabilities in a report released on Tuesday. The most severe issues permit unauthenticated attackers to gain root access or run arbitrary code on the devices. “These are not exotic zero-days requiring months of reverse engineering,” the researchers noted. “These are fundamental security controls that any networked device should implement.”
The flaws stem from basic security failures such as inadequate input validation, weak authentication mechanisms, lack of cryptographic verification, and insufficient rate limiting. Asadoorian and Garcia compared these oversights to the vulnerabilities that plagued early IoT devices a decade ago. However, they emphasized that IP KVMs pose a greater threat because they provide “the equivalent of physical access to everything they connect to.”
Risks escalate when these devices are exposed to the internet with weak security configurations or when insiders connect them surreptitiously. Firmware vulnerabilities further enable remote takeover, allowing attackers to compromise what might otherwise be secure networks. The researchers warned that the broad powers granted by IP KVMs can “torpedo” network security if exploited.
Eclypsium’s findings highlight a recurring issue in networked hardware: the neglect of fundamental security practices in favor of low cost and convenience. The vulnerabilities underscore the need for robust security measures in devices that offer deep system access, particularly as remote management tools become more prevalent in enterprise environments.
