CVE-2026-32294

MEDIUM 4.7

JetKVM insufficient firmware verification

CVSS Score

4.7

EPSS Score

0.0%

EPSS Percentile

0th

JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification.

CWE	CWE-345 CWE-347
Vendor	jetkvm
Product	jetkvm
Published	Mar 17, 2026
Last Updated	Mar 17, 2026

Stay Ahead of the Next One

Get instant alerts for jetkvm jetkvm

Be the first to know when new medium vulnerabilities affecting jetkvm jetkvm are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

Attack Vector

Local

Attack Complexity

High

Privileges Required

None

User Interaction

Required

Scope

Unchanged

Confidentiality

None

Integrity

High

Availability

None

Affected Versions

JetKVM / JetKVM

0 < 0.5.4

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4 eclypsium.com: https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/ raw.githubusercontent.com: https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json cve.org: https://www.cve.org/CVERecord?id=CVE-2026-32294

Credits

Paul Asadoorian, Eclypsium