CRITICAL🇵🇱 Wersja polska

CVE-2026-38702

CVSS 9.8v3.1pub. 2026-05-28upd. 2026-05-29

A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

🤖 AI Analysis
How it works

The vulnerability (CWE-77) consists of improper neutralization of special characters or control sequences in input data passed to the command interpreter in the Admin Access function. An attacker can craft an appropriate network request containing a malicious payload that is executed directly by the device's operating system. Due to the network vector (AV:N), lack of requirements for attack complexity (AC:L), and lack of need for privileges (PR:N), the vulnerability is particularly dangerous in environments exposed to the internet.

Impact

Successful exploitation of the vulnerability gives the attacker full ROOT privileges on the remote device, which means complete control over the device, ability to read and modify configuration, and potential use of the device as an entry point to the internal network.

Mitigation & patch

Apply patches available from the manufacturer according to the references (https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf). Until firmware is updated, it is recommended to restrict access to the administrative interface only to trusted IP addresses and isolate devices from the public network using a firewall.

Who is affected

InHand Networks IR302 firmware V3.5.108 and earlier, IR305 firmware V1.0.118 and earlier, IR315 firmware V1.0.118 and earlier, IR615 firmware V1.0.118 and earlier

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
  • Inhandnetworks Ir302

    HW
    Inhandnetworks
    wszystkie wersje
  • Inhandnetworks Ir302 Firmware

    OS
    Inhandnetworks
    < 3.5.112
  • Inhandnetworks Ir305

    HW
    Inhandnetworks
    wszystkie wersje
  • Inhandnetworks Ir305 Firmware

    OS
    Inhandnetworks
    < 1.0.121
  • Inhandnetworks Ir315

    HW
    Inhandnetworks
    wszystkie wersje
  • Inhandnetworks Ir315 Firmware

    OS
    Inhandnetworks
    < 1.0.121
  • Inhandnetworks Ir615

    HW
    Inhandnetworks
    wszystkie wersje
  • Inhandnetworks Ir615 Firmware

    OS
    Inhandnetworks
    < 1.0.121
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
CWE
References

Related vulnerabilities

CVE-2026-38707CRITICAL9.8PL ✓ten sam produkt

Command injection w funkcji IPSec VPN urządzeń InHand Networks — dostęp ROOT

CVE-2026-38704CRITICAL9.8PL ✓ten sam produkt

Command injection w funkcji WireGuard VPN urządzeń InHand Networks

CVE-2026-38703CRITICAL9.8PL ✓ten sam produkt

Command injection w funkcji ZeroTier VPN urządzeń InHand Networks

CVE-2021-38480CRITICAL9.6ten sam produkt

InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forge...

CVE-2021-38470CRITICAL9.1ten sam produkt

InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a ping...