CVE-2026-32291: GL-iNet Comet Auth Bypass Vulnerability

CVE-2026-32291 Overview

CVE-2026-32291 is a missing authentication vulnerability affecting the GL-iNet Comet (GL-RM1) KVM device. The device does not require authentication on the UART serial console, allowing attackers with physical access to gain full control over the system. This attack requires physically opening the device enclosure and connecting directly to the exposed UART pins on the circuit board.

Critical Impact

Attackers with physical access can bypass authentication entirely, potentially compromising the KVM device and any connected systems in the network infrastructure.

Affected Products

• GL-iNet Comet (GL-RM1) KVM

Discovery Timeline

• 2026-03-17 - CVE CVE-2026-32291 published to NVD
• 2026-03-18 - Last updated in NVD database

Technical Details for CVE-2026-32291

Vulnerability Analysis

This vulnerability is classified under CWE-306 (Missing Authentication for Critical Function). The GL-iNet Comet KVM device exposes a UART (Universal Asynchronous Receiver-Transmitter) serial console interface that provides direct access to the device's operating system or bootloader without requiring any form of authentication. UART interfaces are commonly used during development and debugging but should be secured or disabled in production devices.

KVM (Keyboard, Video, Mouse) switches are particularly sensitive network infrastructure components as they provide direct control over multiple connected systems. A compromised KVM device could serve as a pivot point for attackers to access and control all connected machines, making this a significant supply chain and infrastructure security concern.

Root Cause

The root cause of this vulnerability is the absence of authentication mechanisms on the UART serial console interface. The manufacturer did not implement password protection, secure boot verification, or any access controls for the debug interface. This is a common oversight in embedded device development where debug interfaces are left enabled and unsecured in production firmware.

Attack Vector

The attack vector requires physical access to the device. An attacker must:

1. Gain physical access to the GL-iNet Comet (GL-RM1) KVM device
2. Open the device enclosure to expose the internal circuit board
3. Identify and connect to the UART pins (typically TX, RX, and GND)
4. Use a USB-to-UART adapter connected to a computer running terminal software
5. Access the serial console with no authentication required

Once connected, the attacker gains direct access to the device's command interface, potentially obtaining root-level access to the underlying operating system. This could allow firmware extraction, configuration manipulation, credential harvesting, or implantation of persistent backdoors.

As detailed in the Eclypsium research blog post, inexpensive KVM devices like this one can become significant weak links in enterprise security, potentially allowing attackers to compromise entire networks through these overlooked infrastructure components.

Detection Methods for CVE-2026-32291

Indicators of Compromise

• Physical tampering evidence on KVM device enclosures (broken seals, scratches, pry marks)
• Unexpected configuration changes on the KVM device
• Unknown or unauthorized firmware modifications
• Presence of additional wires or connections inside the device housing

Detection Strategies

• Implement physical security monitoring for network infrastructure equipment
• Conduct regular physical inspections of KVM devices for signs of tampering
• Use tamper-evident seals on device enclosures and monitor for breaches
• Maintain asset inventory and chain-of-custody records for all KVM devices

Monitoring Recommendations

• Deploy physical security cameras in areas where KVM devices are located
• Implement asset management systems to track hardware integrity
• Establish baseline configurations and periodically verify device settings
• Monitor network traffic from KVM devices for anomalous patterns

How to Mitigate CVE-2026-32291

Immediate Actions Required

• Restrict physical access to GL-iNet Comet KVM devices to authorized personnel only
• Apply tamper-evident seals to device enclosures to detect unauthorized access
• Consider replacing affected devices with alternatives that implement UART authentication
• Review and audit all KVM devices in your infrastructure for similar vulnerabilities

Patch Information

No vendor patch information is currently available for this vulnerability. Physical security controls are the primary mitigation. Monitor the CISA CSAF advisory and vendor channels for updates.

Workarounds

• Store KVM devices in locked enclosures or secure server rooms with restricted access
• Physically disable or remove UART pins/headers if the debug interface is not required
• Apply epoxy or conformal coating over UART test points to make access more difficult
• Implement network segmentation to limit the impact if a KVM device is compromised
• Consider using enterprise-grade KVM solutions with hardware security features

# Physical security verification checklist
# 1. Verify tamper seals are intact on all KVM devices
# 2. Check for unauthorized modifications to device enclosures
# 3. Document serial numbers and compare against asset inventory
# 4. Inspect for additional wires or connections to circuit boards