CVE-2026-32290

low-risk

Published 2026-03-17

The GL-iNet Comet (GL-RM1) KVM before version 1.8.2 does not sufficiently verify the authenticity of uploaded firmware files. An attacker-in-the-middle or a compromised update server could modify the firmware and the corresponding MD5 hash to pass verification.

Do I need to act?

0.01% chance of exploitation

EPSS score — low exploit probability

Not on CISA KEV list

No confirmed active exploitation reported to CISA

Patch status unknown

Check vendor advisories for fix availability and mitigation guidance

CVSS 4.7/10 Medium

LOCAL / HIGH complexity

References (4)

https://dl.gl-inet.com/release/kvm/release/RM1/1.8.2

https://eclypsium.com/blog/your-kvm-is-the-weak-link-how-30-dollar-devices-can-o...

https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/...

https://www.cve.org/CVERecord?id=CVE-2026-32290

/ 100

low-risk

Severity 12/34 · Low

Exploitability 0/34 · Minimal

Exposure 5/34 · Minimal