CVE-2026-32291 is a vulnerability identified in the GL-iNet Comet KVM (model GL-RM1) firmware versions prior to 1.8.2. The core issue is the absence of authentication on the UART serial console interface, which is a critical function for device management and control. UART (Universal Asynchronous Receiver-Transmitter) interfaces are commonly used for low-level device access, often during debugging or recovery operations. In this case, the UART console allows direct interaction with the device’s operating environment without any authentication barrier, violating secure design principles and classified under CWE-306 (Missing Authentication for Critical Function). Exploiting this vulnerability requires an attacker to physically open the device and connect to exposed UART pins, which limits the attack vector to scenarios where physical access is possible. Once connected, an attacker can execute commands, potentially leading to unauthorized configuration changes, firmware manipulation, or extraction of sensitive data. The vulnerability does not require prior authentication, user interaction, or network access, but the physical access requirement significantly reduces the likelihood of remote exploitation. The CVSS 4.0 vector (AV:P/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N) indicates a physical attack vector with low complexity and no privileges or user interaction needed, but with high impacts on confidentiality, integrity, and availability. No patches or exploits are currently publicly available, but the vendor has addressed the issue in firmware version 1.8.2. This vulnerability is particularly relevant for organizations relying on GL-iNet Comet KVM devices in sensitive environments where physical security may be insufficient.

The primary impact of CVE-2026-32291 is the potential for complete compromise of affected GL-iNet Comet KVM devices through physical access. An attacker with physical access can bypass all authentication controls by connecting to the UART serial console, enabling them to execute arbitrary commands, alter device configurations, or extract sensitive information. This can lead to loss of confidentiality, integrity, and availability of the device and any systems managed through it. In environments where these KVM devices control critical infrastructure or sensitive networks, such compromise could facilitate lateral movement, persistent access, or disruption of operations. Although remote exploitation is not feasible, the risk is significant in scenarios where devices are deployed in unsecured or semi-public locations. The lack of authentication on a critical management interface represents a fundamental security design flaw, increasing the attack surface for insider threats or physical attackers. Organizations may face operational downtime, data breaches, or compliance violations if this vulnerability is exploited.

To mitigate CVE-2026-32291, organizations should immediately update GL-iNet Comet KVM devices to firmware version 1.8.2 or later, where authentication on the UART console is enforced. If updating firmware is not immediately possible, physical security controls must be strengthened to prevent unauthorized access to the devices, including securing device enclosures, restricting access to server rooms, and monitoring for tampering. Additionally, organizations should audit their deployment environments to identify any devices at risk of physical compromise. Implementing tamper-evident seals and intrusion detection mechanisms can provide early warning of physical access attempts. Network segmentation should be employed to limit the impact of any compromised KVM device. Finally, organizations should consider disabling or physically blocking UART interfaces if they are not required for normal operations, reducing the attack surface. Regular security training for personnel on the risks of physical device access is also recommended.