Primary

Context

GL-iNet Comet KVM Brute-Force Vulnerability

Vulnerability

A vulnerability exists in the GL-iNet Comet KVM web interface on the GL-RM1 model, where the login process lacks any rate limiting. This absence allows for brute-force attacks to be conducted, enabling attackers to rapidly guess credentials. Additionally, the same password used for the web interface login is applied to SSH access by default, creating an easier pathway for exploitation.

Impact

Exploitation of this vulnerability allows for brute-force attacks on the KVM web interface login, with no restrictions on the number of login attempts. This could lead to unauthorized access via SSH, as the same credentials are used for both the web interface and SSH access by default.

Remediation

Users can update to GL-iNet Comet KVM version 1.8.1 BETA, which includes a fix for the brute-force vulnerability by implementing IP banning after 10 consecutive failed login attempts.

Added: Mar 17, 2026, 6:24 PM

Updated: Mar 17, 2026, 6:24 PM

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.7

remediation

0.0

relevance

4.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.0

impact

5.0

exploitability

7.7

remediation

0.0

relevance

4.0

threat

4.8

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

GL-iNet Comet KVM Brute-Force Vulnerability

Vulnerability

Impact

Remediation

Affected Products

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating