9 Critical IP KVM Flaws Grant Unauthenticated Root Access Across Four Vendors
What Happened — Researchers from Eclypsium disclosed nine critical vulnerabilities in low‑cost IP KVM (Keyboard‑Video‑Mouse over IP) devices from four manufacturers. The flaws allow an unauthenticated remote attacker to obtain root privileges on the host machine and take full control of the connected system.
Why It Matters for TPRM —
- Remote‑console hardware is often trusted and left exposed on production networks, making these bugs a high‑impact supply‑chain risk.
- Successful exploitation can lead to full server compromise, data exfiltration, and lateral movement across critical infrastructure.
- Many organizations lack visibility into KVM inventory, increasing the chance of unpatched devices remaining in the environment.
Who Is Affected — Data‑center operators, telecom carriers, cloud service providers, managed‑service providers (MSPs), manufacturing plants, and any enterprise that deploys IP KVMs for remote server management.
Recommended Actions —
- Conduct an immediate inventory of all IP KVM hardware and map them to the four affected product lines.
- Apply vendor‑released firmware patches or, if unavailable, isolate the devices on a segmented VLAN with strict firewall rules.
- Enforce multi‑factor authentication for any management interfaces and disable default credentials.
- Update third‑party risk questionnaires to include remote‑console hardware security controls.
Technical Notes — The vulnerabilities span authentication bypass, insecure firmware update mechanisms, and improper input validation, resulting in unauthenticated root access. No public CVE numbers were assigned at the time of reporting; however, the flaws are classified as critical (CVSS ≥ 9.0). Exploitation grants attackers full OS control, enabling data theft, ransomware deployment, or sabotage of critical services. Source: The Hacker News