7

CVE-2026-32294

Medienbericht

JetKVM insufficient firmware verification

JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.
Daten sind bereitgestellt durch National Vulnerability Database (NVD)
JetkvmKvm Version <= 0.5.3
Zu dieser CVE wurde keine Warnung gefunden.
EPSS Metriken
Typ Quelle Score Percentile
EPSS FIRST.org 0.13% 0.028
CVSS Metriken
Quelle Base Score Exploit Score Impact Score Vector String
9119a7d8-5eab-497f-8521-727c672e3725 7 0 0
CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
9119a7d8-5eab-497f-8521-727c672e3725 4.7 1 3.6
CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N
CWE-345 Insufficient Verification of Data Authenticity

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

CWE-347 Improper Verification of Cryptographic Signature

The product does not verify, or incorrectly verifies, the cryptographic signature for data.

Für Zugriff zu Vulnerability Intelligence ist ein VulnDex Zugang erforderlich.
VulnDex Intel
Media Report
18.03.2026 14:05
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json
Broken Link
https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4
Release Notes
https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/
Third Party Advisory
https://www.cve.org/CVERecord?id=CVE-2026-32294
Third Party Advisory