Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools

Comet KVM

Source -

CNA

CNA CVEs -

4

ADP CVEs -

0

CISA CVEs -

0

NVD CVEs -

0
Related CVEsRelated VendorsRelated AssignersReports
4Vulnerabilities found
CVE-2026-32293
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-6.3||MEDIUM
EPSS-0.03% / 9.36%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 17:19
Updated-23 Mar, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GL-iNet Comet (GL-RM1) KVM insufficient certificate validation

The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service.

Action-Not Available
Vendor-GL-iNet
Product-Comet KVM
CWE ID-CWE-295
Improper Certificate Validation
CVE-2026-32292
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-9.3||CRITICAL
EPSS-0.04% / 13.59%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 17:18
Updated-23 Mar, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting

The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.

Action-Not Available
Vendor-GL-iNet
Product-Comet KVM
CWE ID-CWE-307
Improper Restriction of Excessive Authentication Attempts
CVE-2026-32291
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-7||HIGH
EPSS-0.05% / 16.07%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 17:18
Updated-23 Mar, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GL-iNet Comet (GL-RM1) KVM unauthenticated root access via UART serial console

The GL-iNet Comet (GL-RM1) KVM before 1.8.2 does not require authentication on the UART serial console. This attack requires physically opening the device and connecting to the UART pins.

Action-Not Available
Vendor-GL-iNet
Product-Comet KVM
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-32290
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
ShareView Details
Assigner-Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
CVSS Score-7||HIGH
EPSS-0.01% / 0.57%
||
7 Day CHG~0.00%
Published-17 Mar, 2026 | 17:18
Updated-23 Mar, 2026 | 20:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
GL-iNet Comet (GL-RM1) KVM insufficient firmware verification

The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.

Action-Not Available
Vendor-GL-iNet
Product-Comet KVM
CWE ID-CWE-345
Insufficient Verification of Data Authenticity