A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HInhandnetworks Ir302
HWInhandnetworkswszystkie wersjeInhandnetworks Ir302 Firmware
OSInhandnetworks< 3.5.112Inhandnetworks Ir305
HWInhandnetworkswszystkie wersjeInhandnetworks Ir305 Firmware
OSInhandnetworks< 1.0.121Inhandnetworks Ir315
HWInhandnetworkswszystkie wersjeInhandnetworks Ir315 Firmware
OSInhandnetworks< 1.0.121Inhandnetworks Ir615
HWInhandnetworkswszystkie wersjeInhandnetworks Ir615 Firmware
OSInhandnetworks< 1.0.121
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
VPN
CWE
Related vulnerabilities
CVE-2026-38707CRITICAL9.8PL ✓ten sam produkt
Command injection w funkcji IPSec VPN urządzeń InHand Networks — dostęp ROOT
CVE-2026-38704CRITICAL9.8PL ✓ten sam produkt
Command injection w funkcji WireGuard VPN urządzeń InHand Networks
CVE-2026-38702CRITICAL9.8PL ✓ten sam produkt
Command injection w firmware InHand Networks IR302/IR315/IR615 — dostęp ROOT
CVE-2021-38480CRITICAL9.6ten sam produkt
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to cross-site request forge...
CVE-2021-38470CRITICAL9.1ten sam produkt
InHand Networks IR615 Router's Versions 2.3.0.r4724 and 2.3.0.r4870 are vulnerable to an attacker using a ping...