CVE-2026-32290

The GL-iNet Comet (GL-RM1) KVM does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.

Weakness

The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.

Related Attack Patterns

• https://cwe.mitre.org/data/definitions/111.html
• https://cwe.mitre.org/data/definitions/141.html
• https://cwe.mitre.org/data/definitions/142.html
• https://cwe.mitre.org/data/definitions/148.html
• https://cwe.mitre.org/data/definitions/218.html
• https://cwe.mitre.org/data/definitions/384.html
• https://cwe.mitre.org/data/definitions/385.html
• https://cwe.mitre.org/data/definitions/386.html
• https://cwe.mitre.org/data/definitions/387.html
• https://cwe.mitre.org/data/definitions/388.html
• https://cwe.mitre.org/data/definitions/665.html
• https://cwe.mitre.org/data/definitions/701.html

References

• https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/
• https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json
• https://www.cve.org/CVERecord?id=CVE-2026-32290