CVE-2026-32292: GL-iNet Comet Auth Bypass Vulnerability

CVE-2026-32292 Overview

The GL-iNet Comet (GL-RM1) KVM web interface contains an improper restriction of excessive authentication attempts vulnerability (CWE-307). The web interface fails to implement rate limiting on login requests, allowing attackers to perform brute-force attacks to guess valid credentials. This weakness enables unauthorized access to the KVM device management interface, potentially compromising connected systems and infrastructure.

Critical Impact

Successful exploitation allows attackers to gain unauthorized access to the KVM web interface through credential brute-forcing, potentially enabling full control over connected systems and network infrastructure.

Affected Products

• GL-iNet Comet (GL-RM1) KVM devices
• GL-RM1 web management interface

Discovery Timeline

• 2026-03-17 - CVE-2026-32292 published to NVD
• 2026-03-18 - Last updated in NVD database

Technical Details for CVE-2026-32292

Vulnerability Analysis

This vulnerability stems from a missing security control in the GL-iNet Comet (GL-RM1) KVM web interface authentication mechanism. The authentication endpoint accepts unlimited login attempts without implementing any form of rate limiting, account lockout, or CAPTCHA verification. This design flaw allows attackers to systematically attempt credential combinations against the login interface without triggering protective countermeasures.

The weakness is classified under CWE-307 (Improper Restriction of Excessive Authentication Attempts), which describes scenarios where software does not adequately limit the number or frequency of authentication attempts. KVM (Keyboard, Video, Mouse) devices are particularly sensitive targets as they provide direct hardware-level access to connected systems, making this vulnerability especially concerning for infrastructure security.

Root Cause

The root cause is the absence of authentication rate limiting controls in the GL-RM1 web interface. The application fails to track and restrict the number of failed login attempts per IP address, user account, or session. Without these protective mechanisms, the system cannot differentiate between legitimate users who may have forgotten their credentials and malicious actors attempting to brute-force access.

Attack Vector

The attack can be conducted remotely over the network. An attacker with network access to the GL-RM1 KVM web interface can use automated tools to rapidly submit login requests with different credential combinations. Common attack scenarios include:

1. Dictionary attacks using lists of common usernames and passwords
2. Credential stuffing using leaked credential databases
3. Systematic brute-force enumeration of password combinations
4. Targeted attacks using organization-specific password patterns

The network-accessible nature of the vulnerability combined with no user interaction requirements makes exploitation straightforward for attackers who can reach the device's web interface.

Detection Methods for CVE-2026-32292

Indicators of Compromise

• High volume of HTTP POST requests to the GL-RM1 login endpoint from single IP addresses
• Multiple failed authentication attempts in rapid succession against the web interface
• Unusual login activity patterns during non-business hours
• Successful authentication following a series of failed attempts from the same source

Detection Strategies

• Monitor authentication logs for excessive failed login attempts against GL-RM1 devices
• Implement network-level monitoring for anomalous traffic patterns to KVM management interfaces
• Deploy intrusion detection rules to identify brute-force attack signatures
• Configure SIEM alerts for authentication anomalies targeting KVM infrastructure

Monitoring Recommendations

• Enable verbose logging on GL-RM1 devices if available
• Implement network traffic analysis for management interface segments
• Review authentication logs regularly for signs of credential guessing attempts
• Monitor for successful logins that follow patterns of failed attempts

How to Mitigate CVE-2026-32292

Immediate Actions Required

• Isolate GL-iNet Comet (GL-RM1) devices from direct internet exposure
• Place KVM devices behind VPN or zero-trust network access controls
• Implement strong, unique passwords on all GL-RM1 devices
• Apply network-level rate limiting using firewalls or reverse proxies

Patch Information

At the time of publication, no vendor patch information is available. Organizations should consult the Eclypsium Blog Post for additional context and the CISA CSAF Document for official advisory details. Monitor GL-iNet security advisories for firmware updates that address this vulnerability.

Workarounds

• Implement network segmentation to restrict access to KVM management interfaces
• Deploy a web application firewall (WAF) with rate limiting capabilities in front of the device
• Use fail2ban or similar tools at the network perimeter to block IPs after repeated failed attempts
• Consider disabling web interface access and using alternative management methods if available

# Example iptables rate limiting for KVM web interface
# Limit new connections to 5 per minute per source IP
iptables -A INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --set
iptables -A INPUT -p tcp --dport 443 -i eth0 -m state --state NEW -m recent --update --seconds 60 --hitcount 5 -j DROP