Skip to main content

InHand IR-Series Routers CVE-2026-38702

CRITICAL
Command Injection (CWE-77)
2026-05-28 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 19:23 vuln.today
CVSS changed
May 28, 2026 - 18:22 NVD
9.8 (CRITICAL)
CVE Published
May 28, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

AnalysisAI

Remote root command injection in InHand Networks IR302, IR305, IR315, and IR615 industrial cellular routers allows unauthenticated attackers to execute arbitrary OS commands as root via the Admin Access feature. The flaw affects IR302 V3.5.108, IR305/IR315/IR615 V1.0.118, and earlier firmware, with CVSS 9.8 reflecting network-reachable, no-auth exploitation; no public exploit identified at time of analysis but vendor PSA-2026-05 confirms the issue.

Technical ContextAI

InHand Networks IR302/IR305/IR315/IR615 are industrial cellular/IoT routers commonly deployed in OT, energy, transportation, and remote-site environments where they bridge serial/Ethernet equipment to mobile networks. The defect is classified as CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning the Admin Access feature accepts attacker-controlled input that is concatenated into an OS-level command invocation without adequate sanitization or argument separation. Because embedded router web/management daemons typically run as root on BusyBox-style Linux, successful command injection yields full device control, including configuration tampering, traffic interception, and pivoting into the routed OT network. The CPE record published with this CVE is a placeholder (cpe:2.3:a:n/a:n/a:*) rather than a properly enumerated hardware/firmware CPE, so automated asset-matching tools may fail to flag affected devices.

RemediationAI

Patch status per vendor advisory: consult InHand PSA-2026-05 (https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf) for the fixed firmware versions for each model, as exact fix versions are not enumerated in the supplied CVE data and should not be invented. Until devices are upgraded, restrict reachability of the Admin Access interface by placing the routers behind a management VLAN or VPN and blocking the management HTTP/HTTPS/Telnet/SSH ports from WAN and untrusted LAN segments - the trade-off is that legitimate remote administration must traverse the new bastion path. Disable WAN-side management entirely if the deployment allows it, and apply ACLs at upstream firewalls to permit management only from known operator IPs; note that any device currently reachable from the internet should be treated as potentially compromised and re-imaged after patching, with credentials and certificates rotated.

Share

CVE-2026-38702 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy