CVE-2026-32291

Summary

The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins.

Affected Software

VendorProductVersion RangeStatus
GL-iNetComet KVM0 < 1.8.2affected
GL-iNetComet KVM1.8.2unaffected

Weaknesses

  • CWE-306: CWE-306 Missing Authentication for Critical Function

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: poc
    • Automatable: no
    • Technical Impact: total

References