Vulnerability Details CVE-2026-32291
The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins.
Exploit prediction scoring system (EPSS) score
EPSS Score 0.001
EPSS Ranking 16.0%
CVSS Severity
CVSS v3 Score 6.8
References
- https://dl.gl-inet.com/release/kvm/release/RM1/1.8.2
- https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/
- https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json
- https://www.cve.org/CVERecord?id=CVE-2026-32291
Products affected by CVE-2026-32291
-
cpe:2.3:h:gl-inet:comet_gl-rm1:-
-
cpe:2.3:o:gl-inet:comet_gl-rm1_firmware:*