CVE-2026-32292

High

Published: 17 March 2026

Published

17 March 2026

Modified

27 April 2026

KEV Added

—

Patch

—

CVSS Score 7.5 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

EPSS Score 0.0004 13.7th percentile

Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-32292 is a high-severity Improper Restriction of Excessive Authentication Attempts (CWE-307) vulnerability in Gl-Inet Comet Gl-Rm1 Firmware. Its CVSS base score is 7.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Password Guessing (T1110.001); ranked at the 13.7th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-7 (Unsuccessful Logon Attempts) and SI-2 (Flaw Remediation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Password Guessing (T1110.001). What defenders deploy: see the NIST 800-53 controls recommended below.

Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

AC-7 Unsuccessful Logon Attempts good match

prevent

AC-7 enforces limits on consecutive unsuccessful logon attempts, directly preventing brute-force credential guessing on the GL-iNet KVM web interface.

SI-2 Flaw Remediation good match

prevent

SI-2 requires timely flaw remediation, such as applying the recommended firmware update to version 1.7.2 that fixes the lack of login request limits.

SC-5 Denial-of-service Protection partial match

prevent

SC-5 provides denial-of-service protections like rate limiting, which can mitigate excessive login attempts even if not natively implemented in the KVM interface.

MITRE ATT&CK Enterprise TechniquesAI

T1110.001 Password Guessing Credential Access

Adversaries with no prior knowledge of legitimate credentials within the system or environment may guess passwords to attempt access to accounts.

attack.mitre.org →

Why these techniques?

The vulnerability description explicitly states failure to limit login attempts on a network-accessible web interface, directly enabling password guessing via unlimited brute-force attempts (T1110.001) to obtain valid credentials for unauthorized access.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials.

Deeper analysisAI

CVE-2026-32292 is a vulnerability in the GL-iNet Comet (GL-RM1) KVM web interface that fails to limit login requests, allowing brute-force attacks to guess credentials. Published on 2026-03-17, it is associated with CWE-307 (Improper Restriction of Excessive Authentication Attempts) and carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), reflecting high confidentiality impact from network-accessible exploitation with low complexity and no privileges required.

Remote attackers who can reach the device's web interface over the network can exploit this by performing unlimited login attempts with credential guesses. Success grants unauthorized access to the KVM interface, enabling high-impact confidentiality breaches, such as control over connected systems in environments where the device manages network access.

Advisories recommend mitigation via firmware update to version 1.7.2, available at https://dl.gl-inet.com/release/kvm/release/RM1/1.7.2. Additional guidance appears in an Eclypsium blog post titled "Your KVM is the Weak Link: How $30 Devices Can Own Your Entire Network," a CISA CSAF advisory at https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/white/2025/va-26-076-01.json, and the official CVE record at https://www.cve.org/CVERecord?id=CVE-2026-32292.