CVE-2026-32291 GL-iNet CVE debrief

Who should care

Organizations using the GL-iNet Comet (GL-RM1) KVM, especially those in industries requiring high security, should prioritize patching this vulnerability. Physical security of devices is crucial, as an attacker with physical access can exploit this vulnerability. IT teams responsible for managing KVM devices should be aware of this risk and take immediate action.

Technical summary

The GL-iNet Comet (GL-RM1) KVM before 1.8.2 lacks authentication on the UART serial console, allowing an attacker with physical access to gain root access. The vulnerability is characterized by CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. The attack requires physically opening the device and connecting to the UART pins. This vulnerability was reported on March 10, 2026, and patched on March 20, 2026. The fix is available in version 1.8.2.

Defensive priority

High priority should be given to patching GL-iNet Comet (GL-RM1) KVM devices to version 1.8.2 or later. Physical security measures should be reviewed to prevent unauthorized access to devices.

Recommended defensive actions

• Patch GL-iNet Comet (GL-RM1) KVM to version 1.8.2 or later immediately.
• Review physical security measures to prevent unauthorized access to devices.
• Inventory and monitor GL-iNet Comet (GL-RM1) KVM devices for potential exploitation attempts.
• Implement compensating controls, such as limiting physical access to devices.
• Monitor for and respond to potential exploitation attempts.

Evidence notes

The source item provided by CISA contains detailed information about the vulnerability, including its description, affected products, and remediation steps. The CVE record and NVD detail provide additional context and scoring information. Eclypsium's blog post discusses the broader implications of KVM vulnerabilities. The official fix is available from GL-iNet's website.

Official resources