Description
The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands.
Published: 2026-03-17
Score: 8.5 High
EPSS: < 1% Very Low
KEV: No
Impact: OS Command Execution
Action: Patch
AI Analysis

Impact

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script. An authenticated attacker can inject data that causes the script to execute arbitrary OS-level commands. This flaw is a classic operating system command injection (CWE-78), allowing the attacker to potentially compromise the host system, exfiltrate data, modify system files, or disrupt services. The impact includes loss of integrity and confidentiality and could enable lateral movement across the network if the KVM is exposed.

Affected Systems

Affecting Angeet ES3 KVM devices. No specific affected versions are listed in the CNA data; therefore the scope of versions susceptible to the flaw is currently unknown.

Risk and Exploitability

The CVSS base score of 8.5 classifies this vulnerability as High severity. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Attack requires authentication to the KVM; the exact network or local context is not specified, so it is inferred that the attacker must have valid credentials or access to the device to trigger the flaw. Given the high severity and the need for authenticated access, the risk is significant for environments that expose KVM management interfaces to untrusted users or networks.

Generated by OpenCVE AI on March 17, 2026 at 18:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Check the vendor's official website or support channels for a patch or update that addresses the 'cfg.lua' sanitization issue.
  • If a patch is not immediately available, mitigate by restricting management access to trusted administrators only and consider network segmentation to isolate the KVM host.
  • As a temporary measure, disable or remove the 'cfg.lua' script from the configuration if it is not required for operational functionality, thereby eliminating the exploitation surface.

Generated by OpenCVE AI on March 17, 2026 at 18:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 18 Mar 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Angeet
Angeet es3 Kvm
Vendors & Products Angeet
Angeet es3 Kvm

Tue, 17 Mar 2026 18:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 17 Mar 2026 17:45:00 +0000

Type Values Removed Values Added
Description The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands.
Title Angeet ES3 KVM OS command injection
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

cvssV4_0

{'score': 8.5, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H'}

Subscriptions

Angeet Es3 Kvm
cve-icon MITRE

Status: PUBLISHED

Assigner: cisa-cg

Published:

Updated: 2026-03-17T18:09:21.367Z

Reserved: 2026-03-11T18:27:11.768Z

Link: CVE-2026-32298

cve-icon Vulnrichment

Updated: 2026-03-17T18:09:18.683Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-03-17T18:16:17.313

Modified: 2026-03-18T14:52:44.227

Link: CVE-2026-32298

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-03-24T10:49:00Z

Weaknesses