This page lists publicly disclosed CVE vulnerabilities affecting gl-inet comet_gl-rm1_firmware (linked via NVD CPE). Each row includes severity scores, summaries, and publication dates to help identify and analyze security issues.
| CVE | Summary | Source | Max CVSS | EPSS % | Published | Updated |
|---|---|---|---|---|---|---|
| CVE-2026-32293 | The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service. | 9119a7d8-5eab-497f-8521-727c672e3725 | 6.3 | 0.33% | 2026-03-17 | 2026-06-17 |
| CVE-2026-32292 | The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials. | 9119a7d8-5eab-497f-8521-727c672e3725 | 9.3 | 0.53% | 2026-03-17 | 2026-06-17 |
| CVE-2026-32291 | The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.0 | 0.33% | 2026-03-17 | 2026-06-17 |
| CVE-2026-32290 | The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification. | 9119a7d8-5eab-497f-8521-727c672e3725 | 7.0 | 0.16% | 2026-03-17 | 2026-06-17 |