CVE-2026-32291

MEDIUM

GL-iNet Comet (GL-RM1) KVM unauthenticated root access via UART serial console

Title source: cna

Description

The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins.

References (4)

https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/

https://www.cve.org/CVERecord?id=CVE-2026-32291

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json

[Release Notes] https://dl.gl-inet.com/release/kvm/release/RM1/1.8.2

Scores

CVSS v3 6.8

EPSS 0.0005

EPSS Percentile 16.8%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-306

Status published

Products (2)

GL-iNet/Comet KVM

gl-inet/comet_gl-rm1_firmware < 1.8.2

Published Mar 17, 2026

Tracked Since Mar 17, 2026