Skip to main content

Es3 Kvm EUVDEUVD-2026-12614

| CVE-2026-32298 HIGH
OS Command Injection (CWE-78)
2026-03-17 cisa-cg
8.5
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.5 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 27, 2026 - 17:07 vuln.today
cvss_changed
Severity Changed
Apr 27, 2026 - 17:07 NVD
CRITICAL HIGH
CVSS changed
Apr 27, 2026 - 17:07 NVD
9.1 (CRITICAL) 8.5 (HIGH)
EUVD ID Assigned
Mar 17, 2026 - 20:30 euvd
EUVD-2026-12614
Analysis Generated
Mar 17, 2026 - 20:30 vuln.today
CVE Published
Mar 17, 2026 - 17:21 nvd
CRITICAL 9.1

DescriptionCVE.org

The Angeet ES3 KVM does not properly sanitize user-supplied variables parsed by the 'cfg.lua' script, allowing an authenticated attacker to execute OS-level commands.

AnalysisAI

OS command execution in Angeet ES3 KVM allows authenticated administrators to execute arbitrary system commands through improper input validation in the cfg.lua script. An attacker with high-level privileges can leverage this vulnerability to achieve complete system compromise with high impact on confidentiality, integrity, and availability. No patch is currently available for this critical vulnerability.

Technical ContextAI

The vulnerability affects the Angeet ES3 KVM (Keyboard, Video, Mouse) switch device, identified by CPE cpe:2.3:a:angeet:es3_kvm:*:*:*:*:*:*:*:*, which is used for remote server management in data centers. The root cause is CWE-78 (OS Command Injection), where the cfg.lua script processes user-controlled variables without proper sanitization or escaping, allowing shell metacharacters to be interpreted by the underlying operating system. KVM devices are critical infrastructure components that provide out-of-band management capabilities for servers, making them high-value targets as they often have privileged access to multiple systems.

RemediationAI

No patch information is currently available in the provided intelligence sources for the Angeet ES3 KVM vulnerability. Organizations should immediately implement compensating controls including restricting network access to KVM devices to trusted management networks only, implementing strong authentication mechanisms, and monitoring for suspicious command execution on affected devices. Contact Angeet support for firmware updates and monitor the CISA advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json for patch availability. Consider replacing end-of-life KVM devices if vendor support is unavailable.

Share

EUVD-2026-12614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy