Executive Summary
A high-severity OS command injection vulnerability (CVE-2026-32298, CVSS 9.1) has been disclosed in the Angeet ES3 KVM switch. The flaw exists in the device's cfg.lua web configuration script, which fails to properly sanitize user-supplied input before passing it to OS-level command execution routines. An authenticated attacker with access to the device's management interface can exploit this vulnerability to execute arbitrary commands on the underlying operating system.
CVSS Score: 9.1 (High)
Published to the NVD on March 17, 2026, this vulnerability (CWE-78 — Improper Neutralization of Special Elements used in an OS Command) affects KVM switch infrastructure commonly deployed in data centres, server rooms, and managed service provider environments.
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-32298 |
| CVSS Score | 9.1 (High) |
| CWE | CWE-78: OS Command Injection |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated) |
| User Interaction | None |
| Vulnerable Component | cfg.lua web configuration script |
| Root Cause | Unsanitized user input passed to OS command execution |
Affected Products
| Vendor | Product | Affected Versions | Fixed Version |
|---|---|---|---|
| Angeet | ES3 KVM Switch | All firmware versions | None available |
Vulnerability Details
OS Command Injection in cfg.lua
The Angeet ES3 KVM switch exposes a web-based management interface that includes a configuration script (cfg.lua) responsible for processing user-supplied parameters and applying device settings. The script fails to sanitize one or more input variables before incorporating them into shell command strings that are executed by the underlying operating system.
An authenticated attacker can craft malicious input containing shell metacharacters (such as ;, |, `, $(), or &&) to break out of the intended command context and inject arbitrary OS-level commands.
Attack flow:
1. Attacker authenticates to the KVM management web interface
2. Attacker identifies parameters accepted by cfg.lua
3. Attacker injects shell metacharacters and malicious commands into
a vulnerable parameter (e.g., ?param=value;id)
4. The cfg.lua script passes unsanitized input to the OS command handler
5. Injected command executes with the privileges of the web server process
6. Attacker achieves OS-level command execution on the KVM deviceImpact of Successful Exploitation
A successful exploit gives the attacker command execution on the KVM device's underlying OS. Depending on the process privilege level, an attacker could:
- Exfiltrate device configuration and credentials — including credentials stored for connected systems
- Pivot to connected servers — KVM switches have direct console access to attached servers
- Modify device firmware or configuration — persistent backdoors, port forwarding, or credential capture
- Disrupt operations — disconnect or interfere with console access to managed servers
- Lateral movement — use captured credentials to access other infrastructure
The elevated CVSS score of 9.1 reflects the low attack complexity, network accessibility, and significant impact on confidentiality, integrity, and availability.
Deployment Context and Risk
KVM switches are frequently deployed in high-trust network segments with privileged access to multiple servers. The ES3 model is marketed for small-to-medium data centre environments where a single device may provide console access to tens of servers.
| Deployment Context | Risk Level | Notes |
|---|---|---|
| Internet-exposed management interface | Critical | Direct exploitation from the internet with valid credentials |
| Internal network (data centre segment) | High | Any attacker with internal access and valid credentials |
| Managed service provider environments | High | One KVM may provide access to multiple client environments |
| Out-of-band management networks | High | Often less monitored; exploitation may go undetected |
Recommended Mitigations
No vendor patch is currently available. Apply the following compensating controls immediately.
1. Restrict Management Interface Access
# Limit access to the KVM management interface to a dedicated management VLAN
# Block all inbound access from untrusted network segments
# Example (adjust port and interface as appropriate):
iptables -I INPUT -p tcp --dport 443 -s <MGMT_VLAN_CIDR> -j ACCEPT
iptables -I INPUT -p tcp --dport 443 -j DROP2. Enforce Strong Authentication
- Change all default credentials immediately
- Use unique, strong passwords for the KVM management account
- Where supported, restrict management access to specific IP addresses
3. Place Behind a Jump Host or Privileged Access Workstation
Move all KVM management access behind a dedicated privileged access workstation (PAW) or jump server. No direct access to KVM management interfaces from end-user workstations.
4. Network Segmentation
Ensure the KVM management interface is on an isolated management VLAN that is not reachable from general corporate networks or the internet.
5. Monitor for Exploitation Indicators
| Indicator | Description |
|---|---|
| Unexpected processes spawned by web server | Post-exploitation command execution |
| Unusual network connections from the KVM device | Data exfiltration or C2 communication |
| Configuration changes not initiated by administrators | Backdoor installation or tampering |
| Authentication events from unexpected source IPs | Credential compromise and attacker access |
Post-Remediation Checklist
- Verify management interface is isolated — confirm the device is not reachable from untrusted networks
- Rotate all credentials — change KVM management passwords and any credentials stored on or accessible via the device
- Review access logs — check for any unexpected authentication or configuration change events
- Audit connected server credentials — if the device was compromised, credentials of connected servers may be exposed
- Contact vendor — request patch availability and apply when released
- Consider replacement — if no patch timeline is provided, evaluate replacing the device with one from a vendor with an active security response programme
References
- CVE-2026-32298 — NVD
- CWE-78: Improper Neutralization of Special Elements used in an OS Command — MITRE