InHand IR-series Routers CVE-2026-38707
CRITICALSeverity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
AnalysisAI
Remote code execution as root in InHand Networks industrial cellular routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to inject operating system commands through the IPSec VPN feature. The CVSS 9.8 score reflects network-reachable, low-complexity, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.
Technical ContextAI
The affected devices are industrial-grade cellular routers (IR302/IR305/IR315/IR615) commonly deployed at remote OT/IIoT edge sites for cellular backhaul, VPN aggregation, and SCADA connectivity. The flaw is a CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection'), meaning user-supplied input reaching the IPSec VPN subsystem is concatenated into an OS command (likely a shell invocation of an IPSec daemon such as strongSwan/ipsec/racoon or a wrapper script) without proper sanitization. Because IPSec configuration interfaces on these embedded Linux devices typically run as root, successful injection yields full root code execution. The CPE entry returned by the source is the generic placeholder 'cpe:2.3:a:n/a:n/a:*' rather than a vendor-specific CPE, so precise component-level identification must be drawn from the InHand PSA advisory.
RemediationAI
Patch status from the provided data is ambiguous: the only reference is the InHand PSA-2026-05 advisory PDF (https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf) - consult it for vendor-released fixed firmware versions, as no exact fix version was supplied in this dataset. Until verified patched firmware is deployed, restrict reachability to the IPSec VPN service by binding it to trusted interfaces only, placing the device behind an upstream firewall that allows IKE/ESP (UDP 500/4500, ESP) only from known peer IPs, and disabling the IPSec VPN feature entirely on devices that do not require it - the trade-off being loss of site-to-site tunnels on those units. Where the WAN interface is the cellular link, applying carrier-side ACLs or using private APNs to limit inbound reachability is a strong compensating control. Monitor IPSec/IKE logs and outbound traffic from these routers for unexpected processes or shells, since successful exploitation yields root.
Same weakness CWE-77 – Command Injection
View allSame technique Command Injection
View allShare
External POC / Exploit Code
Leaving vuln.today