Total
4 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2026-32293 | 1 Gl-inet | 2 Comet Gl-rm1, Comet Gl-rm1 Firmware | 2026-04-27 | N/A | 3.7 LOW |
| The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service. | |||||
| CVE-2026-32292 | 1 Gl-inet | 2 Comet Gl-rm1, Comet Gl-rm1 Firmware | 2026-04-27 | N/A | 7.5 HIGH |
| The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials. | |||||
| CVE-2026-32291 | 1 Gl-inet | 2 Comet Gl-rm1, Comet Gl-rm1 Firmware | 2026-04-27 | N/A | 6.8 MEDIUM |
| The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins. | |||||
| CVE-2026-32290 | 1 Gl-inet | 2 Comet Gl-rm1, Comet Gl-rm1 Firmware | 2026-04-27 | N/A | 4.7 MEDIUM |
| The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification. | |||||