Description
JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.
Published: 2026-03-17
Score: 7 High
EPSS: < 1% Very Low
KEV: No
Impact: Remote code execution via malicious firmware
Action: Immediate patch
AI Analysis

Impact

JetKVM devices before version 0.5.4 do not verify the authenticity of downloaded firmware. An attacker who can observe or manipulate the update stream can replace the firmware image and its SHA256 hash, causing the device to install a tampered version. The compromised firmware can execute arbitrary code on the KVM device, undermining its integrity and potentially enabling further attacks against connected systems.

Affected Systems

The vulnerability affects all JetKVM devices running firmware versions older than 0.5.4. Any unit relying on the default update mechanism without additional verification is at risk.

Risk and Exploitability

The CVSS score of 7 indicates a high severity, while an EPSS score of less than 1% shows a low to moderate likelihood of exploitation. The absence from the CISA KEV catalog does not diminish the potential impact. Exploitation would require the attacker to intercept or control the firmware update process, a scenario that is plausible for a malicious or compromised update server or for an attacker with network access to the device. Once successful, the attacker could achieve persistent remote code execution on the affected KVM unit.

Generated by OpenCVE AI on April 10, 2026 at 02:29 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the official firmware update to version 0.5.4 or later on all JetKVM devices
  • Configure the device to accept firmware updates only from trusted, signed sources
  • Restrict network access to the firmware update server and monitor for abnormal update requests
  • Verify firmware integrity manually or via external tools if an automatic check is not available
  • Consult JetKVM advisories for additional security guidance

Generated by OpenCVE AI on April 10, 2026 at 02:29 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetkvm kvm
CPEs cpe:2.3:a:jetkvm:kvm:*:*:*:*:*:*:*:*
Vendors & Products Jetkvm kvm

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetkvm
Jetkvm jetkvm
Vendors & Products Jetkvm
Jetkvm jetkvm

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.
Title JetKVM insufficient firmware verification
Weaknesses CWE-345
CWE-347
References
Metrics cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N'}

cvssV4_0

{'score': 7, 'vector': 'CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Jetkvm Jetkvm Kvm
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-17T18:12:13.714Z

Reserved: 2026-03-11T18:26:33.310Z

Link: CVE-2026-32294

cve-icon Vulnrichment

Updated: 2026-03-17T18:12:10.826Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T18:16:16.610

Modified: 2026-04-10T01:29:42.367

Link: CVE-2026-32294

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:46:29Z

Weaknesses