CVE-2026-32293

LOW

GL-iNet Comet (GL-RM1) KVM insufficient certificate validation

Title source: cna

Description

The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service.

References (4)

https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/

https://www.cve.org/CVERecord?id=CVE-2026-32293

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json

[Release Notes] https://dl.gl-inet.com/release/kvm/release/RM1/1.7.2

Scores

CVSS v3 3.7

EPSS 0.0003

EPSS Percentile 9.4%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-295

Status published

Products (3)

GL-iNet/Comet KVM < 1.7.2

GL-iNet/Comet KVM 1.7.2

gl-inet/comet_gl-rm1_firmware < 1.7.2

Published Mar 17, 2026

Tracked Since Mar 17, 2026