Cybersecurity researchers have warned about the risks posed by low-cost IP KVM (Keyboard, Video, Mouse over Internet Protocol) devices, which can grant attackers extensive control over compromised hosts.
The nine vulnerabilities, discovered by Eclypsium, span four different products from GL-iNet Comet RM-1, Angeet/Yeeso ES3 KVM, Sipeed NanoKVM, and JetKVM.
The most severe of them allow unauthenticated actors to gain root access or run malicious code.
"The common themes are damning: missing firmware signature validation, no brute-force protection, broken access controls, and exposed debug interfaces," researchers Paul Asadoorian and Reynaldo Vasquez Garcia said in an analysis.
With IP KVM devices enabling remote access to the target machine's keyboard, video output, and mouse input at the BIOS/UEFI level, successful exploitation of vulnerabilities in these products can expose systems to potential takeover risks, undermining security controls put in place.
The list of shortcomings is as follows -
"These are not exotic zero-days requiring months of reverse engineering," the researchers noted.
"These are fundamental security controls that any networked device should implement.
We are looking at the same class of failures that plagued early IoT devices a decade ago, but now on a device class that provides the equivalent of physical access to everything it connects to."