{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32292", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "state": "PUBLISHED", "assignerShortName": "cisa-cg", "dateReserved": "2026-03-11T18:26:16.060Z", "datePublished": "2026-03-17T17:18:54.851Z", "dateUpdated": "2026-03-23T19:34:33.902Z"}, "containers": {"cna": {"descriptions": [{"lang": "en", "value": "The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials."}], "affected": [{"vendor": "GL-iNet", "product": "Comet KVM", "defaultStatus": "unknown", "versions": [{"version": "0", "status": "affected", "lessThan": "1.7.2", "versionType": "custom"}, {"version": "1.7.2", "status": "unaffected"}]}], "problemTypes": [{"descriptions": [{"description": "CWE-307 Improper Restriction of Excessive Authentication Attempts", "lang": "en", "type": "CWE", "cweId": "CWE-307"}]}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-03-13T18:47:55.255705Z", "id": "CVE-2026-32292", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting", "references": [{"name": "url", "url": "https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/"}, {"name": "url", "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"}, {"name": "url", "url": "https://www.cve.org/CVERecord?id=CVE-2026-32292"}, {"name": "url", "url": "https://dl.gl-inet.com/release/kvm/release/RM1/1.7.2", "tags": ["patch"]}], "credits": [{"value": "Reynaldo Vasquez Garcia, Eclypsium", "lang": "en"}], "datePublic": "2026-03-17T00:00:00.000Z", "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-23T19:34:33.902Z"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-03-17T17:56:24.256642Z", "id": "CVE-2026-32292", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T17:56:30.651Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-32292", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-17T17:56:24.256642Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-03-17T17:56:27.953Z"}}], "cna": {"title": "GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting", "credits": [{"lang": "en", "value": "Reynaldo Vasquez Garcia, Eclypsium"}], "metrics": [{"cvssV4_0": {"version": "4.0", "baseScore": 9.3, "attackVector": "NETWORK", "baseSeverity": "CRITICAL", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH"}}, {"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.5, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "NONE", "privilegesRequired": "NONE", "confidentialityImpact": "HIGH"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32292", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "yes"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-03-13T18:47:55.255705Z"}}}], "affected": [{"vendor": "GL-iNet", "product": "Comet KVM", "versions": [{"status": "affected", "version": "0", "lessThan": "1.7.2", "versionType": "custom"}, {"status": "unaffected", "version": "1.7.2"}], "defaultStatus": "unknown"}], "datePublic": "2026-03-17T00:00:00.000Z", "references": [{"url": "https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/", "name": "url"}, {"url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json", "name": "url"}, {"url": "https://www.cve.org/CVERecord?id=CVE-2026-32292", "name": "url"}, {"url": "https://dl.gl-inet.com/release/kvm/release/RM1/1.7.2", "name": "url", "tags": ["patch"]}], "descriptions": [{"lang": "en", "value": "The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-307", "description": "CWE-307 Improper Restriction of Excessive Authentication Attempts"}]}], "providerMetadata": {"orgId": "9119a7d8-5eab-497f-8521-727c672e3725", "shortName": "cisa-cg", "dateUpdated": "2026-03-23T19:34:33.902Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32292", "state": "PUBLISHED", "dateUpdated": "2026-03-23T19:34:33.902Z", "dateReserved": "2026-03-11T18:26:16.060Z", "assignerOrgId": "9119a7d8-5eab-497f-8521-727c672e3725", "datePublished": "2026-03-17T17:18:54.851Z", "assignerShortName": "cisa-cg"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:gl-inet:comet_gl-rm1_firmware:*:*:*:*:*:*:*:*", "matchCriteriaId": "F86D4652-283A-4539-ACDF-374239922EE4", "versionEndExcluding": "1.7.2", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:gl-inet:comet_gl-rm1:-:*:*:*:*:*:*:*", "matchCriteriaId": "8FB81934-02A0-4324-B96C-6BE3A8F7568B", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [], "descriptions": [{"lang": "en", "value": "The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials."}, {"lang": "es", "value": "La interfaz web KVM del GL-iNet Comet (GL-RM1) no limita las solicitudes de inicio de sesi\u00f3n, lo que permite intentos de fuerza bruta para adivinar credenciales."}], "id": "CVE-2026-32292", "lastModified": "2026-04-27T12:39:01.693", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 7.5, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 3.6, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "NETWORK", "availabilityRequirement": "NOT_DEFINED", "baseScore": 9.3, "baseSeverity": "CRITICAL", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "NONE", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}, "published": "2026-03-17T18:16:16.227", "references": [{"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Release Notes"], "url": "https://dl.gl-inet.com/release/kvm/release/RM1/1.7.2"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Broken Link"], "url": "https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json"}, {"source": "9119a7d8-5eab-497f-8521-727c672e3725", "tags": ["Third Party Advisory"], "url": "https://www.cve.org/CVERecord?id=CVE-2026-32292"}], "sourceIdentifier": "9119a7d8-5eab-497f-8521-727c672e3725", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-307"}], "source": "9119a7d8-5eab-497f-8521-727c672e3725", "type": "Secondary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,1.7.2)"}}, {"platform": null, "status": "unaffected", "versions": {"scheme": "semver", "value": "1.7.2"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "Comet KVM", "source": "cna", "vendor": "GL-iNet"}, "product": "comet_kvm", "vendor": "gl-inet"}], "analysis": {"en": {"generated_at": "2026-03-17T20:51:44.847514+00:00", "value": {"mitigation_remediation": ["Obtain and install any available firmware update from GL\u2011iNet that introduces login request rate limiting for the KVM interface.", "If no update is available, immediately change the default KVM credentials to a strong, unique password to make brute\u2011force attempts infeasible.", "Limit access to the KVM web interface by configuring firewall rules or network segmentation so that only trusted administrative IP addresses can reach it.", "Enable logging of failed login attempts and monitor the logs for repeated brute\u2011force activity, alerting security personnel when thresholds are exceeded."], "summary": {"action": "Apply Update", "impact": "Remote Brute\u2011Force Credential Compromise"}, "threat_synthesis": {"affected_systems": "All GL\u2011iNet Comet (GL\u2011RM1) devices that include the KVM web interface are affected. No specific firmware revision is listed, indicating that every build with the KVM feature remains susceptible until a mitigation is applied.", "description_and_impact": "The GL\u2011iNet Comet (GL\u2011RM1) router\u2019s KVM web interface permits unlimited login attempts, enabling an attacker to brute\u2011force credentials. This flaw, classified as CWE\u2011307, allows unauthorized individuals to discover the administrator password and gain full control of the device\u2019s management functions. The impact is a complete compromise of account integrity, potentially allowing system configuration changes, traffic manipulation, or further lateral movement within the network.", "risk_and_exploitability": "The vulnerability has a CVSS score of 9.3, which marks it as critical severity. EPSS data is not available and the issue is not currently cataloged in CISA\u2019s Known Exploit Vulnerabilities list. The attack requires only remote reachability of the KVM interface; no local access or privileged execution is needed. If default or weak credentials are present, a brute\u2011force attack could succeed within a relatively short time. While no public exploits have been reported, the simplicity of the attack vector makes exploitation highly likely for motivated adversaries."}}}}, "created": "2026-03-18T12:13:11.748844+00:00", "updated": "2026-03-24T10:49:06.381526+00:00", "vendors": ["gl-inet", "gl-inet$PRODUCT$comet_kvm"]}