CVE-2026-32290 identifies a critical vulnerability in the GL-iNet Comet KVM (model GL-RM1) firmware update mechanism prior to version 1.8.2. The root cause is insufficient verification of the authenticity of uploaded firmware files, specifically relying on an MD5 hash that can be manipulated by an attacker. Because MD5 is cryptographically broken and the device does not perform robust cryptographic signature verification, an attacker positioned as a man-in-the-middle (MitM) or who has compromised the update server can modify both the firmware binary and the corresponding MD5 hash to pass the device's verification process. This allows the attacker to install malicious firmware, potentially gaining persistent control over the device or disrupting its operation. The vulnerability does not require prior authentication but does require user interaction to initiate the firmware update process. The CVSS 4.0 vector (AV:L/AC:L/AT:P/PR:N/UI:A/VC:N/VI:H/VA:N/SC:H/SI:H/SA:H) indicates local attack vector, low attack complexity, no privileges required, user interaction needed, and high impact on integrity and availability with high scope and security requirements. No known exploits have been reported in the wild yet. The vulnerability is classified under CWE-345 (Insufficient Verification of Data Authenticity), highlighting the failure to properly verify firmware authenticity. This flaw can lead to device compromise, unauthorized code execution, and denial of service. The patch or firmware update to version 1.8.2 or later is recommended to remediate the issue. Organizations should also ensure secure update delivery mechanisms and consider network protections to prevent MitM attacks.

The vulnerability allows attackers to install malicious firmware on GL-iNet Comet KVM devices, compromising device integrity and availability. This can lead to persistent unauthorized access, data interception, or device disruption. For organizations relying on these KVM devices for remote management, exploitation could result in loss of control over critical infrastructure, potential lateral movement within networks, and exposure of sensitive operational data. The attack requires user interaction but no authentication, increasing risk in environments where updates are performed by less security-aware personnel. Although no exploits are currently known in the wild, the vulnerability’s existence poses a significant risk, especially in environments with high-value targets or where attackers can intercept update traffic. The impact extends to operational continuity, confidentiality of management sessions, and trust in device firmware integrity.

1. Immediately update all GL-iNet Comet KVM devices to firmware version 1.8.2 or later, which addresses this vulnerability. 2. Implement strict network segmentation and access controls to limit local network access to KVM devices, reducing the risk of MitM attacks. 3. Use secure, authenticated channels (e.g., VPNs, TLS) for firmware updates to prevent interception or tampering. 4. Disable automatic or user-initiated firmware updates unless performed by trusted administrators. 5. Monitor network traffic for unusual update attempts or anomalies in device behavior post-update. 6. Employ cryptographic verification mechanisms beyond MD5, such as digital signatures, to validate firmware authenticity. 7. Educate personnel responsible for device maintenance about the risks of firmware tampering and the importance of verifying update sources. 8. Consider deploying intrusion detection systems to detect potential MitM or update server compromise attempts. 9. Regularly audit device firmware versions and integrity to detect unauthorized changes promptly.