CVE-2026-32290

MEDIUM

GL-iNet Comet (GL-RM1) KVM insufficient firmware verification

Title source: cna

Description

The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.

References (4)

https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json

https://www.cve.org/CVERecord?id=CVE-2026-32290

[Release Notes] https://dl.gl-inet.com/release/kvm/release/RM1/1.8.2

Scores

CVSS v3 4.7

EPSS 0.0001

EPSS Percentile 0.6%

Attack Vector LOCAL

CVSS:3.1/AV:L/AC:H/PR:N/UI:R/S:U/C:N/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-345

Status published

Products (2)

GL-iNet/Comet KVM

gl-inet/comet_gl-rm1_firmware < 1.8.2

Published Mar 17, 2026

Tracked Since Mar 17, 2026