CVE-2026-32292 PUBLISHED

GL-iNet Comet (GL-RM1) KVM insufficient login rate-limiting

Assigner: cisa-cg
Reserved: 11.03.2026 Published: 17.03.2026 Updated: 17.03.2026

The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.

Metrics

CVSS Vector: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:H/SI:H/SA:H
CVSS Score: 9.3

Product Status

Vendor GL-iNet
Product Comet KVM
Versions Default: unknown
  • affected from 0 to 1.7.2 (excl.)
  • Version 1.7.2 is unaffected

Credits

  • Reynaldo Vasquez Garcia, Eclypsium

References

Problem Types

  • CWE-307 Improper Restriction of Excessive Authentication Attempts CWE