CVE-2026-32291

MEDIUM

GL-iNet Comet (GL-RM1) KVM unauthenticated root access via UART serial console

Title source: cna

Description

The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins.

References (4)

Core 4

Core References

url

https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/

url

https://www.cve.org/CVERecord?id=CVE-2026-32291

url

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json

Release Notes patch

https://dl.gl-inet.com/release/kvm/release/RM1/1.8.2

Scores

CVSS v3 6.8

EPSS 0.0033

EPSS Percentile 24.8%

Attack Vector PHYSICAL

CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation poc

Automatable no

Technical Impact total

Details

CWE

CWE-306

Status published

Products (2)

GL-iNet/Comet KVM

gl-inet/comet_gl-rm1_firmware < 1.8.2

Published Mar 17, 2026

Tracked Since Mar 17, 2026