{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32294", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-11T18:26:33.310Z", "datePublished": "2026-03-17T17:19:22.624Z", "dateUpdated": "2026-03-17T18:12:13.714Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification."}], "affected": [{"vendor": "JetKVM", "product": "JetKVM", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.5.4", "versionType": "custom"}, {"version": "0.5.4", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-345 Insufficient Verification of Data Authenticity", "lang": "en", "type": "CWE", "cweId": "CWE-345"}]}, {"descriptions": [{"description": "CWE-347 Improper Verification of Cryptographic Signature", "lang": "en", "type": "CWE", "cweId": "CWE-347"}]}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T17:25:54.665405Z", "id": "CVE-2026-32294", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "JetKVM insufficient firmware verification", "references": [{"name": "url", "url": "https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4", "tags": ["patch"]}, {"name": "url", "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/"}, {"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32294"}], "credits": [{"value": "Paul Asadoorian, Eclypsium", "lang": "en"}], "datePublic": "2026-03-17T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-17T17:19:22.624Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T18:12:07.429086Z", "id": "CVE-2026-32294", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:12:13.714Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32294", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T18:12:07.429086Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:12:10.826Z"}}], "cna": {"title": "JetKVM insufficient firmware verification", "credits": [{"lang": "en", "value": "Paul Asadoorian, Eclypsium"}], "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 4.7, "attackVector": "LOCAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "integrityImpact": "HIGH", "userInteraction": "REQUIRED", "attackComplexity": "HIGH", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "NONE"}}, {"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "LOCAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H", "userInteraction": "ACTIVE", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32294", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-11T17:25:54.665405Z"}}}], "affected": [{"vendor": "JetKVM", "product": "JetKVM", "versions": [{"status": "affected", "version": "0", "lessThan": "0.5.4", "versionType": "custom"}, {"status": "unaffected", "version": "0.5.4"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-17T00:00:00.000Z", "references": [{"url": "https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4", "name": "url", "tags": ["patch"]}, {"url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/", "name": "url"}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json", "name": "url"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32294", "name": "url"}], "descriptions": [{"lang": "en", "value": "JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-345", "description": "CWE-345 Insufficient Verification of Data Authenticity"}]}, {"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-347", "description": "CWE-347 Improper Verification of Cryptographic Signature"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-17T17:19:22.624Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32294", "state": "PUBLISHED", "dateUpdated": "2026-03-17T18:12:13.714Z", "dateReserved": "2026-03-11T18:26:33.310Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-17T17:19:22.624Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jetkvm:kvm:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDA899F2-D012-41A7-BDF5-39CFF8D93534", "versionEndIncluding": "0.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding SHA256 hash to pass verification."}, {"lang": "es", "value": "JetKVM anterior a 0.5.4 no verifica la autenticidad de los archivos de firmware descargados. Un atacante-en-el-medio o un servidor de actualizaci\u00f3n comprometido podr\u00eda modificar el firmware y el hash SHA256 correspondiente para pasar la verificaci\u00f3n."}], "id": "CVE-2026-32294", "lastModified": "2026-04-10T01:29:42.367", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "HIGH", "attackVector": "LOCAL", "availabilityImpact": "NONE", "baseScore": 4.7, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "REQUIRED", "vectorString": "CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N", "version": "3.1"}, "exploitabilityScore": 1.0, "impactScore": 3.6, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "PRESENT", "attackVector": "LOCAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-17T18:16:16.610", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"], "url": "https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-32294"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-345"}, {"lang": "en", "value": "CWE-347"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.5.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "JetKVM", "source": "cna", "vendor": "JetKVM"}, "product": "jetkvm", "vendor": "jetkvm"}], "analysis": {"en": {"generated_at": "2026-03-17T18:21:56.524092+00:00", "value": {"mitigation_remediation": ["Upgrade JetKVM firmware to version 0.5.4 or later.", "Verify that firmware updates are obtained from a trusted source and validate checksum integrity.", "Monitor network traffic for unauthorized firmware downloads or update anomalies."], "summary": {"action": "Immediate Patch", "impact": "Firmware Tampering (Potential RCE)"}, "threat_synthesis": {"affected_systems": "All JetKVM devices running firmware versions earlier than 0.5.4 are affected. No other vendors or products are listed.", "description_and_impact": "JetKVM prior to 0.5.4 does not verify the authenticity of downloaded firmware files. This allows an attacker in\u2011the\u2011middle or a compromised update server to modify the firmware and its corresponding SHA256 hash so that the device incorrectly accepts the tampered firmware. The vulnerability is a legitimate example of missing data validation (CWE\u2011345) and absence of integrity checks (CWE\u2011347). Installing the malicious firmware can give an attacker full control of the device, enabling arbitrary code execution, data theft, or disruption of services.", "risk_and_exploitability": "A CVSS score of 7 indicates a high severity level. EPSS data is not available, and the vulnerability is not currently listed in the CISA KEV catalog. The most likely attack vector is a network\u2011based compromise: either a man\u2011in\u2011the\u2011middle position intercepting the update traffic or a compromised update server providing a dishonest firmware image. The attack does not require local privileges; any entity with access to the device\u2019s update channel can exploit it."}}}}, "created": "2026-03-18T12:13:10.044698+00:00", "updated": "2026-03-24T10:49:04.651813+00:00", "vendors": ["jetkvm", "jetkvm$PRODUCT$jetkvm"]}