Skip to main content

InHand IR-series Routers CVE-2026-38707

CRITICAL
Command Injection (CWE-77)
2026-05-28 mitre
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
May 28, 2026 - 19:22 vuln.today
CVSS changed
May 28, 2026 - 18:22 NVD
9.8 (CRITICAL)
CVE Published
May 28, 2026 - 00:00 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

AnalysisAI

Remote code execution as root in InHand Networks industrial cellular routers (IR302, IR305, IR315, IR615) allows unauthenticated network attackers to inject operating system commands through the IPSec VPN feature. The CVSS 9.8 score reflects network-reachable, low-complexity, unauthenticated exploitation with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the issue is not currently listed in CISA KEV.

Technical ContextAI

The affected devices are industrial-grade cellular routers (IR302/IR305/IR315/IR615) commonly deployed at remote OT/IIoT edge sites for cellular backhaul, VPN aggregation, and SCADA connectivity. The flaw is a CWE-77 Improper Neutralization of Special Elements used in a Command ('Command Injection'), meaning user-supplied input reaching the IPSec VPN subsystem is concatenated into an OS command (likely a shell invocation of an IPSec daemon such as strongSwan/ipsec/racoon or a wrapper script) without proper sanitization. Because IPSec configuration interfaces on these embedded Linux devices typically run as root, successful injection yields full root code execution. The CPE entry returned by the source is the generic placeholder 'cpe:2.3:a:n/a:n/a:*' rather than a vendor-specific CPE, so precise component-level identification must be drawn from the InHand PSA advisory.

RemediationAI

Patch status from the provided data is ambiguous: the only reference is the InHand PSA-2026-05 advisory PDF (https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf) - consult it for vendor-released fixed firmware versions, as no exact fix version was supplied in this dataset. Until verified patched firmware is deployed, restrict reachability to the IPSec VPN service by binding it to trusted interfaces only, placing the device behind an upstream firewall that allows IKE/ESP (UDP 500/4500, ESP) only from known peer IPs, and disabling the IPSec VPN feature entirely on devices that do not require it - the trade-off being loss of site-to-site tunnels on those units. Where the WAN interface is the cellular link, applying carrier-side ACLs or using private APNs to limit inbound reachability is a strong compensating control. Monitor IPSec/IKE logs and outbound traffic from these routers for unexpected processes or shells, since successful exploitation yields root.

Share

CVE-2026-38707 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy