Cyber Posture

CVE-2026-32295

High

Published: 17 March 2026

Published
17 March 2026
Modified
10 April 2026
KEV Added
Patch
CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
EPSS Score 0.0004 13.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32295 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Jetkvm Kvm. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Brute Force (T1110); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Brute Force (T1110) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match
prevent

AC-7 enforces limits on consecutive unsuccessful logon attempts and account locking, directly preventing brute-force credential guessing as exploited in CVE-2026-32295.

SI-2 Flaw Remediation good match
prevent

SI-2 requires timely identification, reporting, and patching of system flaws like the missing rate limiting in JetKVM before version 0.5.4.

SC-5 Denial-of-service Protection partial match
prevent

SC-5 employs safeguards against denial-of-service events, mitigating excessive login requests that enable brute-force attacks on vulnerable JetKVM instances.

MITRE ATT&CK Enterprise TechniquesAI

T1110 Brute Force Credential Access
Adversaries may use brute force techniques to gain access to accounts when passwords are unknown or when password hashes are obtained.
attack.mitre.org →
T1110.001 Password Guessing Credential Access
Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.
attack.mitre.org →
Why these techniques?

Lack of login rate limiting directly enables brute-force credential guessing (T1110 / T1110.001) against the exposed JetKVM web interface.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

JetKVM before 0.5.4 does not rate limit login requests, enabling brute-force attempts to guess credentials.

Deeper analysisAI

CVE-2026-32295 affects JetKVM versions before 0.5.4, where the software fails to rate limit login requests. This design flaw enables brute-force attacks to guess credentials, as classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts). The vulnerability carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), highlighting its high severity due to network accessibility and potential for significant confidentiality impact.

Attackers with network access to a vulnerable JetKVM instance can exploit this without prior privileges or user interaction. By sending repeated login attempts, they can systematically guess credentials, potentially compromising access to the device's KVM (keyboard, video, mouse) functionality and exposing sensitive remote control capabilities.

Mitigation involves upgrading to JetKVM version 0.5.4, available via the project's GitHub release page, which addresses the rate limiting deficiency. Advisories from Eclypsium, CISA (via CSAF document VA-26-076-01), and the official CVE record detail the issue and emphasize applying the patch promptly.

Details

CWE(s)
CWE-307

Affected Products

jetkvm
kvm
≤ 0.5.3

CVEs Like This One

CVE-2026-22616Shared CWE-307
CVE-2024-51476Shared CWE-307
CVE-2025-64310Shared CWE-307
CVE-2026-36959Shared CWE-307
CVE-2025-25595Shared CWE-307
CVE-2025-12995Shared CWE-307
CVE-2026-40586Shared CWE-307
CVE-2025-69246Shared CWE-307
CVE-2026-6947Shared CWE-307
CVE-2025-58587Shared CWE-307

References