{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32295", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-11T18:26:41.488Z", "datePublished": "2026-03-17T17:19:39.692Z", "dateUpdated": "2026-03-17T18:11:34.304Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials."}], "affected": [{"vendor": "JetKVM", "product": "JetKVM", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "0.5.4", "versionType": "custom"}, {"version": "0.5.4", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE", "cweId": "CWE-307"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-11T17:33:10.669735Z", "id": "CVE-2026-32295", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "JetKVM insufficient login rate limiting", "references": [{"name": "url", "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/"}, {"name": "url", "url": "https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4", "tags": ["patch"]}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32295"}, {"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"}], "credits": [{"value": "Paul Asadoorian, Eclypsium", "lang": "en"}], "datePublic": "2026-03-17T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-17T17:19:39.692Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T18:11:27.764122Z", "id": "CVE-2026-32295", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:11:34.304Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32295", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-17T18:11:27.764122Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:11:31.632Z"}}], "cna": {"title": "JetKVM insufficient login rate limiting", "credits": [{"lang": "en", "value": "Paul Asadoorian, Eclypsium"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32295", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "yes"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-03-11T17:33:10.669735Z"}}}], "affected": [{"vendor": "JetKVM", "product": "JetKVM", "versions": [{"status": "affected", "version": "0", "lessThan": "0.5.4", "versionType": "custom"}, {"status": "unaffected", "version": "0.5.4"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-17T00:00:00.000Z", "references": [{"url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/", "name": "url"}, {"url": "https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4", "name": "url", "tags": ["patch"]}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32295", "name": "url"}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json", "name": "url"}], "descriptions": [{"lang": "en", "value": "JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-17T17:19:39.692Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32295", "state": "PUBLISHED", "dateUpdated": "2026-03-17T18:11:34.304Z", "dateReserved": "2026-03-11T18:26:41.488Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-17T17:19:39.692Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:jetkvm:kvm:*:*:*:*:*:*:*:*", "matchCriteriaId": "CDA899F2-D012-41A7-BDF5-39CFF8D93534", "versionEndIncluding": "0.5.3", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials."}, {"lang": "es", "value": "JetKVM anterior a la versi\u00f3n 0.5.4 no limita la tasa de solicitudes de inicio de sesi\u00f3n, lo que permite intentos de fuerza bruta para adivinar credenciales."}], "id": "CVE-2026-32295", "lastModified": "2026-04-10T01:28:56.830", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-17T18:16:16.790", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"], "url": "https://github.com/jetkvm/kvm/releases/tag/release%2F0.5.4"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-32295"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,0.5.4)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "0.5.4"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "JetKVM", "source": "cna", "vendor": "JetKVM"}, "product": "jetkvm", "vendor": "jetkvm"}], "analysis": {"en": {"generated_at": "2026-04-10T03:52:23.200147+00:00", "value": {"mitigation_remediation": ["Upgrade JetKVM to version\u202f0.5.4 or later", "Restrict network access to the KVM login interface to trusted IP addresses using firewall rules", "Implement external rate limiting or block repeated failed login attempts on the network or endpoint if patching is not immediately possible"], "summary": {"action": "Patch", "impact": "Authentication Bypass"}, "threat_synthesis": {"affected_systems": "All JetKVM KVM devices running firmware or software versions earlier than 0.5.4 are affected. The vendor released version 0.5.4 which added login rate limiting; any device still on earlier releases lacks this protection.", "description_and_impact": "JetKVM devices prior to 0.5.4 provide no rate limiting on login attempts, enabling attackers to perform brute\u2011force credential guessing. The vulnerability is classified as CWE\u2011307. If credentials are discovered, the attacker could log into the KVM web interface, but the extent of control beyond this is inferred and not explicitly stated in the advisory.", "risk_and_exploitability": "The CVSS score of 9.3 indicates a high severity risk. The EPSS score of less than 1\u202f% suggests that exploitation is relatively uncommon to date, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is over the network through the KVM login interface, inferred from the description that login requests are processed without limitation."}}}}, "created": "2026-03-18T12:13:09.157320+00:00", "updated": "2026-04-10T09:46:28.226351+00:00", "vendors": ["jetkvm", "jetkvm$PRODUCT$jetkvm"]}