CVE-2026-32293 LOW

CVE-2026-32293: GL-iNet Comet (GL-RM1) KVM insufficient certificate validation

Vendor Gl-Inet
Product Comet KVM
Weakness CWE-295
Published March 17, 2026
Last update March 23, 2026

CVSS base score

3.7/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality None
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

What the vulnerability does

01Description

The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service.

Key dates

02Disclosure timeline

March 17, 2026 CVE published
March 23, 2026 Record updated