Description
JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.
Published: 2026-03-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Remote Brute‑Force Login
Action: Immediate Patch
AI Analysis

Impact

JetKVM devices before version 0.5.4 lack any mechanism to limit the number of login attempts, permitting attackers to perform brute‑force attacks against the device’s authentication. The vulnerability is classified as CWE‑307 (Improper Restriction of Excessive Authentication Attempts). Successful exploitation results in compromised credentials and subsequent unauthorized access to the virtual machine, exposing the underlying host to full control by the attacker.

Affected Systems

Affected vendor is JetKVM, product JetKVM. Any deployed JetKVM device running a software version earlier than 0.5.4 is susceptible. The associated release information can be found in the vendor’s release notes for release/0.5.4.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity risk. The EPSS score is not available, but the absence of rate limiting makes automated exploitation highly feasible. The vulnerability is not listed in the CISA KEV catalog. Based on the description, the likely attack vector is remote over the network, where an attacker can repeatedly attempt credentials until success. Once authenticated, the attacker gains full control of the virtual machine and, by extension, the host system.

Generated by OpenCVE AI on March 17, 2026 at 18:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the JetKVM device to version 0.5.4 or later, which implements proper login rate limiting.
  • Verify that the rate limiting feature is active after the upgrade by attempting multiple failed logins and observing the enforced delays or lockouts.
  • Monitor authentication logs for suspicious login activity to detect any brute‑force attempts early.
  • If an upgrade cannot be performed immediately, restrict network access to the JetKVM device using firewalls or device‑level ACLs to limit potential attack surface.

Generated by OpenCVE AI on March 17, 2026 at 18:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetkvm kvm
CPEs cpe:2.3:a:jetkvm:kvm:*:*:*:*:*:*:*:*
Vendors & Products Jetkvm kvm

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetkvm
Jetkvm jetkvm
Vendors & Products Jetkvm
Jetkvm jetkvm

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.
Title JetKVM insufficient login rate limiting
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Jetkvm Jetkvm Kvm
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-17T18:11:34.304Z

Reserved: 2026-03-11T18:26:41.488Z

Link: CVE-2026-32295

cve-icon Vulnrichment

Updated: 2026-03-17T18:11:31.632Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T18:16:16.790

Modified: 2026-04-10T01:28:56.830

Link: CVE-2026-32295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:03Z

Weaknesses