The GL-iNet Comet KVM (model GL-RM1) suffers from a critical security vulnerability identified as CVE-2026-32291, categorized under CWE-306 (Missing Authentication for Critical Function). The core issue is that the UART serial console interface on the device does not enforce any authentication mechanisms. This means that anyone who can physically open the device and connect to the UART pins can bypass all authentication controls and directly access critical system functions. The attack vector is physical access (AV:P), with low attack complexity (AC:L), and no privileges or user interaction required (PR:N, UI:N). The vulnerability impacts confidentiality, integrity, and availability at a high level (VC:H, VI:H, VA:H), as an attacker can potentially control the device, extract sensitive information, or disrupt its operation. The scope is unchanged (SC:N), and there is no indication of privilege escalation or impact on security attributes beyond the device itself. No patches or mitigations have been published yet, and no known exploits are reported in the wild. This vulnerability is particularly concerning for deployments in environments where physical security cannot be guaranteed, such as remote or publicly accessible locations. The lack of authentication on a critical management interface like UART is a significant design flaw that undermines the device's security posture.

The impact of CVE-2026-32291 is substantial for organizations using the GL-iNet Comet KVM, especially in sensitive or critical infrastructure environments. An attacker with physical access can gain unauthorized control over the device, potentially leading to full compromise of the KVM system. This can result in unauthorized disclosure of sensitive information, manipulation or disruption of connected systems, and denial of service. Since KVM devices often provide remote management capabilities for servers and network equipment, compromising the KVM can serve as a pivot point for further attacks within an organization's network. The requirement for physical access limits the scope somewhat, but in environments such as data centers, branch offices, or industrial sites where devices may be less physically secured, the risk is significant. Additionally, the absence of authentication on the UART interface violates best practices for device security and increases the attack surface. Organizations relying on these devices for critical operations must consider the risk of insider threats or physical tampering.

To mitigate this vulnerability, organizations should implement strict physical security controls to prevent unauthorized access to the GL-iNet Comet KVM devices. This includes securing device enclosures, restricting access to server rooms or cabinets, and monitoring for signs of tampering. Until a firmware patch or update is released by GL-iNet, disabling or physically blocking access to UART pins where feasible can reduce risk. Organizations should also audit their inventory to identify affected devices and consider replacing them with more secure alternatives if physical security cannot be guaranteed. Network segmentation and limiting KVM device exposure to trusted personnel can further reduce risk. Monitoring device logs and behavior for anomalies may help detect attempts at physical compromise. Finally, engaging with GL-iNet support for updates or guidance and following their security advisories is recommended once patches become available.