CVE-2026-32292
Received Received - Intake
Brute-Force Vulnerability in GL-iNet Comet KVM Web Login

Publication date: 2026-03-17

Last updated on: 2026-04-27

Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government

Description
The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-03-17
Last Modified
2026-04-27
Generated
2026-06-16
AI Q&A
2026-03-17
EPSS Evaluated
2026-06-15
NVD
CVE-2026-32292
EUVD
EUVD-2026-12602
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
gl-inet comet_gl-rm1_firmware to 1.7.2 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-307 The product does not implement sufficient measures to prevent multiple failed authentication attempts within a short time frame.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability affects the GL-iNet Comet (GL-RM1) KVM web interface by not limiting the number of login attempts. This allows attackers to perform brute-force attacks to guess user credentials.

Impact Analysis

Because the web interface does not restrict login attempts, an attacker can repeatedly try different passwords until they gain unauthorized access. This can lead to a complete compromise of the device's control interface, potentially exposing sensitive information or allowing malicious actions.

Compliance Impact

I don't know

Detection Guidance

I don't know

Mitigation Strategies

I don't know

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-32292. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart