CVE-2026-32293
Certificate Validation Bypass in GL-iNet Comet KVM Enables MITM
Publication date: 2026-03-17
Last updated on: 2026-04-27
Assigner: Cybersecurity and Infrastructure Security Agency (CISA) U.S. Civilian Government
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| gl-inet | comet_gl-rm1_firmware | to 1.7.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-295 | The product does not validate, or incorrectly validates, a certificate. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The GL-iNet Comet (GL-RM1) KVM device connects to a GL-iNet site during its boot-up process to provision client and CA certificates. However, it does not verify the certificates used for this connection. This lack of verification allows an attacker positioned in the middle of the connection (man-in-the-middle) to provide invalid client and CA certificates. The device will then attempt to use these invalid certificates, which causes it to fail to connect to the legitimate GL-iNet KVM cloud service.
How can this vulnerability impact me? :
This vulnerability can lead to a denial of service condition where the GL-RM1 device fails to connect to the legitimate GL-iNet KVM cloud service because it uses invalid certificates provided by an attacker. While it does not directly compromise confidentiality or integrity, the inability to connect properly may disrupt device provisioning and management.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
I don't know
What immediate steps should I take to mitigate this vulnerability?
I don't know