Description
JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.
Published: 2026-03-17
Score: 9.3 Critical
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

JetKVM devices prior to 0.5.4 provide no rate limiting on login attempts, enabling attackers to perform brute‑force credential guessing. The vulnerability is classified as CWE‑307. If credentials are discovered, the attacker could log into the KVM web interface, but the extent of control beyond this is inferred and not explicitly stated in the advisory.

Affected Systems

All JetKVM KVM devices running firmware or software versions earlier than 0.5.4 are affected. The vendor released version 0.5.4 which added login rate limiting; any device still on earlier releases lacks this protection.

Risk and Exploitability

The CVSS score of 9.3 indicates a high severity risk. The EPSS score of less than 1 % suggests that exploitation is relatively uncommon to date, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is over the network through the KVM login interface, inferred from the description that login requests are processed without limitation.

Generated by OpenCVE AI on April 10, 2026 at 03:52 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade JetKVM to version 0.5.4 or later
  • Restrict network access to the KVM login interface to trusted IP addresses using firewall rules
  • Implement external rate limiting or block repeated failed login attempts on the network or endpoint if patching is not immediately possible

Generated by OpenCVE AI on April 10, 2026 at 03:52 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 10 Apr 2026 01:30:00 +0000

Type Values Removed Values Added
First Time appeared Jetkvm kvm
CPEs cpe:2.3:a:jetkvm:kvm:*:*:*:*:*:*:*:*
Vendors & Products Jetkvm kvm

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Jetkvm
Jetkvm jetkvm
Vendors & Products Jetkvm
Jetkvm jetkvm

Tue, 17 Mar 2026 19:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.
Title JetKVM insufficient login rate limiting
Weaknesses CWE-307
References
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N'}

cvssV4_0

{'score': 9.3, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Jetkvm Jetkvm Kvm
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-17T18:11:34.304Z

Reserved: 2026-03-11T18:26:41.488Z

Link: CVE-2026-32295

cve-icon Vulnrichment

Updated: 2026-03-17T18:11:31.632Z

cve-icon NVD

Status : Analyzed

Published: 2026-03-17T18:16:16.790

Modified: 2026-04-10T01:28:56.830

Link: CVE-2026-32295

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:46:28Z

Weaknesses