Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
AnalysisAI
Remote root command injection in InHand Networks industrial routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to fully compromise affected devices via the WireGuard VPN feature. With CVSS 9.8 and no required privileges or user interaction, this flaw grants attackers ROOT-level control over edge industrial networking equipment. No public exploit identified at time of analysis, but a vendor advisory (InHand-PSA-2026-05) has been published.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today