InHand Networks IR-Series Routers CVE-2026-38703
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
AnalysisAI
Remote unauthenticated command injection in the ZeroTier VPN feature of InHand Networks IR302, IR305, IR315, and IR615 industrial routers grants ROOT-level code execution on affected devices. The flaw carries a CVSS 9.8 critical rating with no authentication required, exposing industrial network gateways to full compromise; no public exploit identified at time of analysis, but the vendor (InHand Networks PSA-2026-05) has acknowledged the issue.
Technical ContextAI
InHand Networks IR-series are industrial cellular routers commonly deployed at the edge of OT/ICS environments to provide secure connectivity for SCADA, telemetry, and remote-site networking. The vulnerable component is the integrated ZeroTier VPN feature - a software-defined networking client used for peer-to-peer overlay networking. The root cause is CWE-77 (Improper Neutralization of Special Elements used in a Command), meaning user- or peer-supplied input is passed unsanitized into a shell or system call by the ZeroTier integration layer. The provided NVD CPE string ('cpe:2.3:a:n/a:n/a') is a placeholder and does not enumerate the affected hardware/firmware combinations; the vendor PSA must be consulted for authoritative product/firmware mapping.
RemediationAI
Patch status is best characterized as 'Patch available per vendor advisory' - defenders should consult InHand-PSA-2026-05 (https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf) for the exact fixed firmware versions for IR302, IR305, IR315, and IR615 and upgrade all affected units. Until firmware can be applied, the highest-value compensating control is to disable the ZeroTier VPN feature on the router if it is not actively required (trade-off: loss of overlay/peer-to-peer connectivity for sites that depend on it); where ZeroTier must remain enabled, restrict network reachability to the ZeroTier control/data ports (default UDP/9993) via upstream firewall, ACLs, or carrier APN policy so only trusted peers can initiate sessions, and place the router management plane behind a VPN or jump host. Increase monitoring on these devices for unexpected outbound connections and shell-spawned child processes from the ZeroTier daemon, since CWE-77 exploitation will typically manifest as anomalous process execution under the VPN service.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today