Home / Vulnerability Intelligence / CVE-2026-32298

CVE-2026-32298 - Vulnerability Analysis

CriticalCVSS: 9.1

Last Updated: March 17, 2026

Angeet ES3 KVM - Command Injection

Published: March 17, 2026Updated: March 17, 2026Remote Exploitable

Overview

Angeet ES3 KVM contains a command injection caused by improper sanitization of user-supplied variables in cfg.lua script, letting authenticated attackers execute OS-level commands.

Severity & Score

Severity: Critical

CVSS Score: 9.1

Impact

Authenticated attackers can execute arbitrary OS-level commands, potentially compromising the entire system.

Mitigation

Update to the latest version with proper input sanitization.

References

https://eclypsium.com/blog/kvm-devices-the-keys-to-your-kingdom-are-hanging-on-the-network/
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json
https://www.cve.org/CVERecord?id=CVE-2026-32291

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-32298
Severity: Critical
CVSS Score: 9.1
Type: command_injection
Status: new

CWE

CWE-78

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H