CVE-2026-32290
Received Received - Intake
Firmware Verification Bypass in GL-iNet Comet KVM Enables Tampering

Publication date: 2026-03-17

Last updated on: 2026-04-27

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32290
EUVD
EUVD-2026-12598
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gl-inet comet_gl-rm1_firmware to 1.8.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-345 The product does not sufficiently verify the origin or authenticity of data, in a way that causes it to accept invalid data.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-32290 is a security vulnerability in the GL-iNet Comet RM-1 IP-KVM device where the device does not properly verify the authenticity of firmware files during updates.

The device relies solely on an MD5 hash embedded within the firmware file itself to validate the firmware. Because the hash is part of the file, an attacker can modify the firmware, recalculate the MD5 hash, and append it to the file, tricking the device into accepting malicious firmware as legitimate.

There is no strong cryptographic signature or public key verification, so the device cannot reliably ensure firmware integrity or authenticity.

Impact Analysis

[{'type': 'paragraph', 'content': "This vulnerability allows an attacker who can access the device's web interface or exploit related weaknesses to upload arbitrary malicious firmware."}, {'type': 'paragraph', 'content': 'Compromising the firmware gives the attacker full control over the KVM device and all machines connected to it, potentially bypassing operating system security, endpoint detection, and other defenses.'}, {'type': 'paragraph', 'content': 'Because the KVM device can emulate USB input devices, attackers can perform advanced attacks such as keystroke injection (BadUSB), BIOS manipulation, and full OS compromise.'}, {'type': 'paragraph', 'content': 'This can lead to severe security breaches in enterprise, industrial, healthcare, and government environments where these devices are commonly used for remote management.'}] [2]

Compliance Impact

I don't know

Detection Guidance

[{'type': 'paragraph', 'content': 'The vulnerability involves insufficient verification of firmware authenticity on the GL-iNet Comet RM-1 IP-KVM device. Detection would focus on identifying devices running this vulnerable firmware and checking for unauthorized or modified firmware uploads.'}, {'type': 'paragraph', 'content': "Since the device relies solely on an embedded MD5 hash within the firmware file for verification, one detection approach is to compare the firmware's MD5 hash against a known good hash from a trusted source. However, because the hash is part of the firmware file and can be modified by an attacker, this method is not fully reliable."}, {'type': 'paragraph', 'content': "Network detection could include monitoring for unusual firmware upload activity to the device's web interface or signs of brute-force login attempts, as attackers may exploit these to upload malicious firmware."}, {'type': 'paragraph', 'content': 'Specific commands are not provided in the available resources, but general steps might include:'}, {'type': 'list_item', 'content': 'Use network scanning tools to identify GL-iNet Comet RM-1 devices on your network.'}, {'type': 'list_item', 'content': "Check device firmware versions via the device's management interface or SNMP if supported."}, {'type': 'list_item', 'content': 'Monitor logs for firmware upload events or failed/successful login attempts.'}, {'type': 'list_item', 'content': 'Manually verify firmware integrity by comparing MD5 hashes with official firmware hashes, if available.'}] [2]

Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps focus on reducing the risk of exploitation given that no fix is currently planned by GL-iNet.'}, {'type': 'list_item', 'content': 'Restrict network access to the GL-iNet Comet RM-1 device, limiting it to trusted management networks only.'}, {'type': 'list_item', 'content': "Implement strong authentication controls to prevent unauthorized access to the device's web interface, including using strong, unique passwords and enabling any available account lockout or brute-force protection mechanisms."}, {'type': 'list_item', 'content': 'Monitor device logs for suspicious activity such as repeated login attempts or unexpected firmware uploads.'}, {'type': 'list_item', 'content': 'Consider isolating or replacing the vulnerable device with a more secure alternative if possible.'}, {'type': 'paragraph', 'content': 'Because the device accepts firmware based on an easily spoofed MD5 hash, avoid relying solely on firmware verification and instead focus on network and access controls to mitigate risk.'}] [2]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32290. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart