CVE-2026-32293

3.7 LOW

Published: March 17, 2026 Modified: March 18, 2026

Description

The GL-iNet Comet (GL-RM1) KVM connects to a GL-iNet site during boot-up to provision client and CA certificates. The GL-RM1 does not verify certificates used for this connection, allowing an attacker-in-the-middle to serve invalid client and CA certificates. The GL-RM1 will attempt to use the invalid certificates and fail to connect to the legitimate GL-iNet KVM cloud service.

AI Explanation

Get an AI-powered plain-language explanation of this vulnerability and remediation steps.

Login to generate AI explanation

CVSS v3.x Details

0.0 Low Medium High Critical 10.0

Vector String

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L

References to Advisories, Solutions, and Tools

Patch Vendor Advisory Exploit Third Party Advisory

https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-own-your-entire-network/

Source: 9119a7d8-5eab-497f-8521-727c672e3725

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json

Source: 9119a7d8-5eab-497f-8521-727c672e3725

https://www.cve.org/CVERecord?id=CVE-2026-32293

Source: 9119a7d8-5eab-497f-8521-727c672e3725

3 reference(s) from NVD

Quick Stats

CVSS v3 Score

3.7 / 10.0

EPSS (Exploit Probability)

0.0%

5th percentile

Exploitation Status

Not in CISA KEV

Weaknesses (CWE)

CWE-295

Related CVEs

CVE-2026-4478 8.1

CVE-2026-4477 3.1

CVE-2026-4476 6.3

CVE-2026-4475 8.8

CVE-2026-4474 2.4