Cyber Resilience

CVE-2026-32295

Critical

Published: 17 March 2026

Published
17 March 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0049 38.2th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2026-32295 is a critical-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Jetkvm Kvm. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 38.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-32295 affects JetKVM versions before 0.5.4, where the software fails to rate limit login requests. This design flaw enables brute-force attacks to guess credentials, as classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high severity due to network accessibility and potential for significant confidentiality impact.

Attackers with network access to a vulnerable JetKVM instance can exploit this without prior privileges or user interaction. By sending repeated login attempts, they can systematically guess credentials, potentially compromising access to the device's KVM (keyboard, video, mouse) functionality and exposing sensitive remote control capabilities.

Mitigation involves upgrading to JetKVM version 0.5.4, available via the project's GitHub release page, which addresses the rate limiting deficiency. Advisories from Eclypsium, CISA (via CSAF document VA-26-076-01), and the official CVE record detail the issue and emphasize applying the patch promptly.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
Why these techniques?

Lack of login rate limiting directly enables brute-force credential guessing (T1110 / T1110.001) against the exposed JetKVM web interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-43914Shared CWE-307
CVE-2025-25595Shared CWE-307
CVE-2023-54347Shared CWE-307
CVE-2026-22616Shared CWE-307
CVE-2026-36959Shared CWE-307
CVE-2024-51476Shared CWE-307
CVE-2025-64310Shared CWE-307
CVE-2025-12995Shared CWE-307
CVE-2026-45364Shared CWE-307
CVE-2025-69246Shared CWE-307

Affected Assets

jetkvm
kvm
≤ 0.5.3

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

AC-7 enforces limits on consecutive unsuccessful logon attempts and account locking, directly preventing brute-force credential guessing as exploited in CVE-2026-32295.

prevent

SI-2 requires timely identification, reporting, and patching of system flaws like the missing rate limiting in JetKVM before version 0.5.4.

prevent

SC-5 employs safeguards against denial-of-service events, mitigating excessive login requests that enable brute-force attacks on vulnerable JetKVM instances.

References