Comet Gl Rm1 Firmware
Sign in to watchby Gl Inet
CVEs (4)
| CVE | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|
| CVE-2026-32292 | Hig | 0.49 | 7.5 | 0.00 | Mar 17, 2026 | The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials. | |
| CVE-2026-32291 | Med | 0.44 | 6.8 | 0.00 | Mar 17, 2026 | The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins. | |
| CVE-2026-32290 | Med | 0.31 | 4.7 | 0.00 | Mar 17, 2026 | The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification. | |
| CVE-2026-32293 | Low | 0.24 | 3.7 | 0.00 | Mar 17, 2026 | The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service. |