CVE-2026-32291 HIGH

CVE-2026-32291: GL-iNet Comet (GL-RM1) KVM unauthenticated root access via UART serial console

Vendor Gl-Inet
Product Comet KVM
Weakness CWE-306 · Missing auth
Published March 17, 2026
Last update March 23, 2026

CVSS base score

7.0/10
Attack vector Physical
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 23, 2026 Record updated