Critical Infrastructure Security
,
Endpoint Security
,
Governance & Risk Management
Internet-Connected Remote Access Tools Operate at UEFI Level
A flood of lost-cost devices for remote IP control of servers or human-machine interfaces has roused a concomitant wave of security warnings about their security defects.
KVM – “keyboard, video, mouse” – devices operate at the UEFI level of computing devices, in contrast to remote management tools that require an already loaded operating system. Their appeal for remote management is palpable, whether because they eliminate a long drive to the data center or allow an engineer to access a human-machine interface without exposure to unsafe surroundings.
Not so long ago, KVMs were rack-mounted and expensive. Now they’re cheap and abundant – to be had for less than $100. They’re gaining recognition as a vector for cyberattacks. Breach a KVM and a hacker can operate below the operating system and out of sight of traditional security tools, endpoint detection and response tools or antivirus software.
“Compromising a KVM device gives an attacker the equivalent of physical access to every machine connected to it. Not ‘kind of like’ physical access. Actual keyboard, video and mouse control, at the BIOS level,” warns firmware security firm Eclypsium in a Tuesday blog post.
“These are basically small computers running Linux. Once they control that pivot point, attackers can inject keystrokes, boot into BIOS or safe mode and constantly reinfect the host system,” said Paul Asadoorian, principal security researcher at Eclypsium.
“There’s a lot more of these devices hitting the market at a lower cost than initially thought,” Asadoorian told Information Security Media Group.
Eclypsium probed devices made by four KVM vendors, discovering nine vulnerabilities. “The common themes are damning: missing firmware signature validation, no brute-force protection, broken access controls and exposed debug interfaces. These are fundamental security hygiene failures,” the firm wrote.
Not all manufacturers approached by Eclypsium committed to patching the issues.
The most serious vulnerability, tracked as CVE-2026-32297, affects the ES3 KVM model made by manufacturer Angeet, which also sells devices under the Yesso brand. The vulnerability exposes an endpoint for uploading, meaning an unauthenticated hacker with network access could write arbitrary files to the device. Another flaw, CVE-2026-32298, allows an unauthenticated attack to inject root commands through the conf.lua configuration script because the device doesn’t sanitize inputs.
Eclypsium said Angeet committed to fixing the flaws but did not provide a timeline.
Elcypsium is not the first security firm to warn about KVMs. In a June 2025 blog post, runZero detected a slew of flaws in the latest wave of KVMs such as charging users for authentication features, unresolved software flaws and overly-verbose disclosures about configuration settings.
KVMs have also generated unease for their use by North Korean IT workers, who have deployed them onto company-issued laptops managed by laptop farm managers in order to mask their actual location (see: How to Spot a North Korean Job Candidate).
Although a widespread threat campaign has yet to be observed exploiting the vulnerabilities, Asadoorian says it’s only a matter of time before attackers target them.
“As this becomes more popular and gets on attacker’s radar they’ll say, ‘let me see if any are exposed to the internet,'” Asadoorian said, because “KVNs are such a great place to hide.”