Security Concerns Emerge Over Affordable Internet-Connected Remote Access Tools Operating at UEFI Level
In recent months, the market has seen a surge in low-cost devices designed for remote IP control of servers and human-machine interfaces, prompting a cacophony of warnings regarding their inherent security vulnerabilities. These devices, commonly referred to as KVMs (keyboard, video, mouse), function at the Unified Extensible Firmware Interface (UEFI) level. This allows them to operate independently of the operating system, which gives them enhanced appeal for remote management tasks — especially for those seeking to avoid hazardous environments or lengthy commutes to data centers.
Traditionally, KVM devices were expensive and often rack-mounted, making them accessible primarily to larger organizations with substantial budgets. However, the landscape has dramatically shifted, with these devices now available for less than $100. This price drop has made KVMs increasingly popular, but it has simultaneously opened a door for cybercriminals who view them as potential vectors for cyberattacks.
When a KVM device is compromised, the ramifications can be severe. Attackers gain unauthorized access that is akin to having physical control over every machine connected to the KVM—it’s more than just remote access; they have full control over keyboard inputs, video output, and mouse commands, even at the Basic Input/Output System (BIOS) level. This alarming prospect was highlighted in a blog post by firmware security firm Eclypsium, which underscored the gravity of the situation. According to the firm, once attackers gain control of a KVM, they can inject keystrokes, boot systems into BIOS or safe mode, and persistently reinfect the host computer.
A principal security researcher at Eclypsium, Paul Asadoorian, pointed out that these devices function as small computers running Linux, and their proliferation is occurring far more rapidly than many in the industry had anticipated. In a recent investigation, Eclypsium examined devices from four different KVM vendors and uncovered a total of nine vulnerabilities. The findings were startling: fundamental security hygiene failures, including missing firmware signature validation, inadequate brute-force protection, compromised access controls, and exposed debug interfaces.
Not all manufacturers have taken these warnings seriously. Some have failed to commit to addressing the identified vulnerabilities, raising further concerns regarding the overall safety of KVM devices on the market. Among the vulnerabilities, the most critical one, identified as CVE-2026-32297, affects the ES3 KVM model created by Angeet, which also operates under the Yesso brand. This specific flaw permits unauthenticated hackers to write arbitrary files to the device via a network-accessible upload endpoint. Another identified issue, referenced as CVE-2026-32298, exposes an attack vector allowing malicious users to inject root commands through the device’s configuration script, due to a lack of input sanitization.
Although it is worth noting that Angeet has pledged to rectify these vulnerabilities, a specified timeline for such fixes has yet to be provided. This delay further intensifies concerns for enterprises relying on these devices.
Eclypsium’s recent findings are not isolated incidents; other security firms, including runZero, have issued similar warnings about KVMs. A blog post from June 2025 pointed out multiple flaws tied to the latest KVM offerings, including users being charged for authentication features, lingering software flaws, and excessive disclosures regarding configuration settings.
The implications of KVM vulnerabilities extend beyond mere technical concerns. Alarmingly, these devices have also raised suspicions of being utilized by North Korean IT workers, who reportedly deploy them on company-issued laptops managed by laptop farm managers to obscure their actual locations. This development adds a layer of geopolitical tension to the issues surrounding KVM devices.
While thus far, cyberattack campaigns specifically exploiting KVM vulnerabilities have not been widely reported, experts speculate that it is only a matter of time before these devices attract malicious actors seeking to capitalize on their weaknesses. As Asadoorian aptly noted, as the use of KVMs continues to expand, they will increasingly come under the scrutiny of attackers. The potential for mischief looms as cybercriminals will likely scan for exposed KVMs across the internet, with these devices offering an ideal opportunity for hidden infiltrations.
In conclusion, while the affordability and accessibility of KVMs present significant advantages for remote management, the associated security risks cannot be underestimated. Enterprises and organizations that utilize these devices must remain vigilant and proactive in addressing these vulnerabilities to safeguard their networks and sensitive information from potential cyber threats. The convergence of low cost and daunting security concerns represents a critical intersection that demands careful consideration from industry stakeholders.