CVE-2026-32290
Firmware Verification Bypass in GL-iNet Comet KVM Enables Tampering
Publication date: 2026-03-17
Last updated on: 2026-04-27
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl-inet | comet_gl-rm1_firmware | to 1.8.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-345 | The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-32290 is a security vulnerability in the GL-iNet Comet RM-1 IP-KVM device where the device does not properly verify the authenticity of firmware files during updates.
The device relies solely on an MD5 hash embedded within the firmware file itself to validate the firmware. Because the hash is part of the file, an attacker can modify the firmware, recalculate the MD5 hash, and append it to the file, tricking the device into accepting malicious firmware as legitimate.
There is no strong cryptographic signature or public key verification, so the device cannot reliably ensure firmware integrity or authenticity.
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "This vulnerability allows an attacker who can access the device's web interface or exploit related weaknesses to upload arbitrary malicious firmware."}, {'type': 'paragraph', 'content': 'Compromising the firmware gives the attacker full control over the KVM device and all machines connected to it, potentially bypassing operating system security, endpoint detection, and other defenses.'}, {'type': 'paragraph', 'content': 'Because the KVM device can emulate USB input devices, attackers can perform advanced attacks such as keystroke injection (BadUSB), BIOS manipulation, and full OS compromise.'}, {'type': 'paragraph', 'content': 'This can lead to severe security breaches in enterprise, industrial, healthcare, and government environments where these devices are commonly used for remote management.'}] [2]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'The vulnerability involves insufficient verification of firmware authenticity on the GL-iNet Comet RM-1 IP-KVM device. Detection would focus on identifying devices running this vulnerable firmware and checking for unauthorized or modified firmware uploads.'}, {'type': 'paragraph', 'content': "Since the device relies solely on an embedded MD5 hash within the firmware file for verification, one detection approach is to compare the firmware's MD5 hash against a known good hash from a trusted source. However, because the hash is part of the firmware file and can be modified by an attacker, this method is not fully reliable."}, {'type': 'paragraph', 'content': "Network detection could include monitoring for unusual firmware upload activity to the device's web interface or signs of brute-force login attempts, as attackers may exploit these to upload malicious firmware."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general steps might include:'}, {'type': 'list_item', 'content': 'Use network scanning tools to identify GL-iNet Comet RM-1 devices on your network.'}, {'type': 'list_item', 'content': "Check device firmware versions via the device's management interface or SNMP if supported."}, {'type': 'list_item', 'content': 'Monitor logs for firmware upload events or failed/successful login attempts.'}, {'type': 'list_item', 'content': 'Manually verify firmware integrity by comparing MD5 hashes with official firmware hashes, if available.'}] [2]
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on reducing the risk of exploitation given that no fix is currently planned by GL-iNet.'}, {'type': 'list_item', 'content': 'Restrict network access to the GL-iNet Comet RM-1 device, limiting it to trusted management networks only.'}, {'type': 'list_item', 'content': "Implement strong authentication controls to prevent unauthorized access to the device's web interface, including using strong, unique passwords and enabling any available account lockout or brute-force protection mechanisms."}, {'type': 'list_item', 'content': 'Monitor device logs for suspicious activity such as repeated login attempts or unexpected firmware uploads.'}, {'type': 'list_item', 'content': 'Consider isolating or replacing the vulnerable device with a more secure alternative if possible.'}, {'type': 'paragraph', 'content': 'Because the device accepts firmware based on an easily spoofed MD5 hash, avoid relying solely on firmware verification and instead focus on network and access controls to mitigate risk.'}] [2]