What is the CVSS score of CVE-2026-38703?

CVE-2026-38703 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Which versions of InHand Networks IR-Series Routers are affected by CVE-2026-38703?

Critical vulnerability in InHand IR-series industrial routers (IR302, IR305, IR315, IR615) enables remote unauthenticated command execution to root-level access, rendering network gateway devices…

InHand Networks IR-Series Routers CVE-2026-38703

CRITICAL

Command Injection (CWE-77)

2026-05-28 mitre

Command Injection N A

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

May 28, 2026 - 19:23 vuln.today

CVSS changed

May 28, 2026 - 18:22 NVD

9.8 (CRITICAL)

CVE Published

May 28, 2026 - 00:00 nvd

UNKNOWN (no severity yet)

DescriptionNVD

A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

AnalysisAI

Remote unauthenticated command injection in the ZeroTier VPN feature of InHand Networks IR302, IR305, IR315, and IR615 industrial routers grants ROOT-level code execution on affected devices. The flaw carries a CVSS 9.8 critical rating with no authentication required, exposing industrial network gateways to full compromise; no public exploit identified at time of analysis, but the vendor (InHand Networks PSA-2026-05) has acknowledged the issue.

RemediationAI

Within 24 hours: Inventory all affected router models in production; assess whether ZeroTier VPN feature is active and can be disabled. Within 7 days: Implement firewall rules restricting network access to ZeroTier ports to authorized administrative networks only; disable ZeroTier VPN where operationally feasible; contact InHand Networks for patch timeline confirmation (reference PSA-2026-05). …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-38703 vulnerability details – vuln.today

Back

InHand Networks IR-Series Routers CVE-2026-38703

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

RemediationAI

Full analysis requires sign-in

Share

External POC / Exploit Code