{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32291", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-11T18:26:10.038Z", "datePublished": "2026-03-17T17:18:34.947Z", "dateUpdated": "2026-03-23T19:34:20.347Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins."}], "affected": [{"vendor": "GL-iNet", "product": "Comet KVM", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.8.2", "versionType": "custom"}, {"version": "1.8.2", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-306 Missing Authentication for Critical Function", "lang": "en", "type": "CWE", "cweId": "CWE-306"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-10T17:28:38.117871Z", "id": "CVE-2026-32291", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "GL-iNet Comet (GL-RM1) KVM unauthenticated root access via UART serial console", "references": [{"name": "url", "url": "https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32291"}, {"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"}, {"name": "url", "url": "https://dl.gl-inet.com/release/kvm/release/RM1/1.8.2", "tags": ["patch"]}], "credits": [{"value": "Reynaldo Vasquez Garcia, Eclypsium", "lang": "en"}], "datePublic": "2026-03-17T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-23T19:34:20.347Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T18:12:47.629054Z", "id": "CVE-2026-32291", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:12:50.187Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32291", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T18:12:47.629054Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T18:12:31.408Z"}}], "cna": {"title": "GL-iNet Comet (GL-RM1) KVM unauthenticated root access via UART serial console", "credits": [{"lang": "en", "value": "Reynaldo Vasquez Garcia, Eclypsium"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 7, "attackVector": "PHYSICAL", "baseSeverity": "HIGH", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "NONE", "vulnIntegrityImpact": "HIGH", "subAvailabilityImpact": "NONE", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.8, "attackVector": "PHYSICAL", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32291", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-10T17:28:38.117871Z"}}}], "affected": [{"vendor": "GL-iNet", "product": "Comet KVM", "versions": [{"status": "affected", "version": "0", "lessThan": "1.8.2", "versionType": "custom"}, {"status": "unaffected", "version": "1.8.2"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-17T00:00:00.000Z", "references": [{"url": "https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/", "name": "url"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32291", "name": "url"}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json", "name": "url"}, {"url": "https://dl.gl-inet.com/release/kvm/release/RM1/1.8.2", "name": "url", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-306", "description": "CWE-306 Missing Authentication for Critical Function"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-23T19:34:20.347Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32291", "state": "PUBLISHED", "dateUpdated": "2026-03-23T19:34:20.347Z", "dateReserved": "2026-03-11T18:26:10.038Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-17T17:18:34.947Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gl-inet:comet_gl-rm1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "B7F6724F-6272-4F2F-BE81-DA9638AC0FD7", "versionEndExcluding": "1.8.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gl-inet:comet_gl-rm1:-:*:*:*:*:*:*:*", "matchCriteriaId": "8FB81934-02A0-4324-B96C-6BE3A8F7568B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins."}, {"lang": "es", "value": "El KVM GL-iNet Comet (GL-RM1) no requiere autenticaci\u00f3n en la consola serie UART. Este ataque requiere abrir f\u00edsicamente el dispositivo y conectarse a los pines UART."}], "id": "CVE-2026-32291", "lastModified": "2026-04-27T12:36:50.560", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "PHYSICAL", "availabilityImpact": "HIGH", "baseScore": 6.8, "baseSeverity": "MEDIUM", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 0.9, "impactScore": 5.9, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 7.0, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-17T18:16:16.057", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"], "url": "https://dl.gl-inet.com/release/kvm/release/RM1/1.8.2"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-32291"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-306"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,*]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Comet KVM", "source": "cna", "vendor": "GL-iNet"}, "product": "comet_kvm", "vendor": "gl-inet"}], "analysis": {"en": {"generated_at": "2026-03-23T20:29:46.844809+00:00", "value": {"mitigation_remediation": ["Update the device firmware to 1.8.2 or later to enforce UART authentication", "If an update is not possible, restrict physical access to the UART pins by securing the device enclosure or disabling the UART interface in hardware", "Verify that the UART console is no longer accessible by connecting a serial client and confirming authentication is required"], "summary": {"action": "Patch immediately", "impact": "Unauthenticated root access via UART console leading to full system compromise"}, "threat_synthesis": {"affected_systems": "Affected products are the GL\u2011iNet Comet KVM, model GL\u2011RM1. All firmware releases prior to 1.8.2 are vulnerable. Users of devices running those firmware versions must verify the firmware and update if possible.", "description_and_impact": "The vulnerability exists in GL\u2011iNet Comet KVM firmware versions earlier than 1.8.2. The UART serial console does not enforce authentication, allowing anyone with physical access to the device to log in as root. This bypass of required authentication (CWE\u2011306) means an attacker could obtain complete control of the device, modify configuration, exfiltrate data, or pivot to other devices on the network.", "risk_and_exploitability": "The CVSS score of 7 indicates a high severity vulnerability. The EPSS score of less than 1% reflects a low likelihood of exploitation in the wild, and the vulnerability is not included in the CISA KEV catalog. Exploitation requires physical access to connect to the UART pins, which limits the attack surface. Nevertheless, devices deployed in environments where attackers could gain physical access pose a significant risk."}}}}, "created": "2026-03-18T12:13:12.593773+00:00", "updated": "2026-03-24T10:49:07.252425+00:00", "vendors": ["gl-inet", "gl-inet$PRODUCT$comet_kvm"]}