Critical IP KVM Flaws Expose Thousands to Remote BIOS Attacks

Security researchers have disclosed critical vulnerabilities affecting IP KVM (Keyboard, Video, Mouse) devices from four major manufacturers, potentially exposing thousands of enterprise systems to remote attacks. The flaws, discovered by researchers at SentinelOne and Binarly, allow unauthenticated attackers to gain BIOS-level access to connected servers through internet-facing management interfaces. Affected manufacturers include ATEN, Raritan, Dell, and HP, representing a substantial portion of the enterprise KVM market.

The vulnerabilities stem from multiple security weaknesses, including authentication bypass (CVE-2024-5423), insecure default credentials, and improper input validation in device firmware. Researchers found that numerous devices exposed to the internet retained factory-default administrative passwords that administrators had never changed. In several proof-of-concept demonstrations, the team achieved arbitrary code execution at the firmware level within minutes of connecting to an exposed device.

With BIOS-level access, attackers can install persistent firmware implants that survive complete operating system reinstallations and hardware replacements. The research team demonstrated how compromised KVMs could serve as jumping-off points for lateral movement through enterprise networks, enabling data exfiltration and long-term persistent access for advanced persistent threat (APT) groups. More than 8,000 vulnerable devices were identified as directly internet-facing, with concentrations in North America and Europe.

Manufacturers have released firmware updates addressing the most critical vulnerabilities. Security researchers recommend immediate patching of all affected devices, avoiding direct internet exposure of KVM management interfaces, implementing strong unique passwords for administrative accounts, and enabling intrusion detection monitoring on out-of-band management networks.