Description
JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.
Published: 2026-03-17
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Firmware Tampering (Potential RCE)
Action: Immediate Patch
AI Analysis

Impact

JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. This allows an attacker in‑the‑middle or a compromised update server to modify the firmware and its corresponding SHA256 hash so that the device incorrectly accepts the tampered firmware. The vulnerability is a legitimate example of missing data validation (CWE‑345) and absence of integrity checks (CWE‑347). Installing the malicious firmware can give an attacker full control of the device, enabling arbitrary code execution, data theft, or disruption of services.

Affected Systems

All JetKVM devices running firmware versions earlier than 0.5.4 are affected. No other vendors or products are listed.

Risk and Exploitability

A CVSS score of 7 indicates a high severity level. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The most likely attack vector is a network‑based compromise: either a man‑in‑the‑middle position intercepting the update traffic or a compromised update server providing a dishonest firmware image. The attack does not require local privileges; any entity with access to the device’s update channel can exploit it.

Generated by OpenCVE AI on March 17, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetKVM firmware to version 0.5.4 or later.
  • Verify that firmware updates are obtained from a trusted source and validate checksum integrity.
  • Monitor network traffic for unauthorized firmware downloads or update anomalies.

Generated by OpenCVE AI on March 17, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetkvm kvm
CPEs cpe:2.3:a:jetkvm:kvm:*:*:*:*:*:*:*:*
Vendors & Products Jetkvm kvm

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetkvm
Jetkvm jetkvm
Vendors & Products Jetkvm
Jetkvm jetkvm

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.
Title JetKVM insufficient firmware verification
Weaknesses CWE-345
CWE-347
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Jetkvm Jetkvm Kvm
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-17T18:12:13.714Z

Reserved: 2026-03-11T18:26:33.310Z

Link: CVE-2026-32294

cve-icon Vulnrichment

Updated: 2026-03-17T18:12:10.826Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T18:16:16.610

Modified: 2026-04-10T01:29:42.367

Link: CVE-2026-32294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:04Z

Weaknesses