CRITICAL 9.8

CVE-2026-38702: Critical Command Injection in InHand Networks IR-Series Routers

A command injection flaw in InHand Networks industrial routers allows unauthenticated attackers to execute arbitrary commands with root privileges remotely. The vulnerability affects the Admin Access feature across multiple IR series devices (IR302, IR305, IR315, IR615) running specified firmware versions or earlier. No user interaction is required, and the attack can be mounted over the network without prior credentials.

Source data · NVD / CISA · public domain

CVSS
3.1 · 9.8 CRITICAL · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-77
Affected products
8 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-38702 is a CWE-77 command injection vulnerability in the Admin Access functionality of InHand Networks IR-series industrial routers. The flaw permits unauthenticated remote code execution leading to root-level system compromise. Affected versions include IR302 firmware V3.5.108 and earlier, IR305 firmware V1.0.118 and earlier, IR315 firmware V1.0.118 and earlier, and IR615 firmware V1.0.118 and earlier. The vulnerability's CVSS 3.1 score of 9.8 reflects network accessibility, low attack complexity, lack of privilege requirements, absence of user interaction, and complete impact across confidentiality, integrity, and availability.

Business impact

Compromise of an InHand Networks router via this vulnerability grants attackers full system control, enabling device manipulation, network traffic interception, lateral movement into connected industrial networks, and persistent backdoor installation. For organizations relying on these routers in OT/IoT deployments—common in manufacturing, utilities, and remote site management—successful exploitation can disrupt operations, compromise sensitive process data, and create cascade failures across connected infrastructure. The remote, unauthenticated nature of the attack substantially expands risk surface.

Affected systems

InHand Networks IR302, IR305, IR315, and IR615 industrial routers are affected. Specifically: IR302 firmware V3.5.108 and earlier versions; IR305 firmware V1.0.118 and earlier versions; IR315 firmware V1.0.118 and earlier versions; IR615 firmware V1.0.118 and earlier versions. Verify your device model and current firmware version via the device's management interface or system information page. Organizations should inventory all deployed IR-series routers and cross-reference against these product/version combinations.

Exploitability

This vulnerability presents extremely high exploitability risk. Attack vectors require only network connectivity and do not demand authentication, valid credentials, or user interaction. An attacker can craft and send a malicious command payload to the Admin Access feature to achieve remote code execution as root. The low attack complexity and absence of prerequisite steps make this amenable to rapid weaponization and widespread scanning. No evidence of active exploitation in the wild has been formally disclosed, but the technical accessibility and criticality suggest opportunistic threat actors will target internet-facing devices promptly.

Remediation

Upgrade affected devices to patched firmware versions released by InHand Networks. Verify the exact patched version against the vendor's security advisory for each device model. As an interim measure, restrict network access to the Admin Access feature using firewall rules or access control lists, limiting connections to trusted management networks only. Disable the Admin Access feature if not operationally required. Monitor device logs for suspicious command injection attempts or unauthorized access patterns.

Patch guidance

Contact InHand Networks or consult their official security advisory to obtain patched firmware versions for each affected model (IR302, IR305, IR315, IR615). Firmware updates typically require console or web-based access to the device. Plan maintenance windows to avoid disruption to active industrial processes. Test patches in a non-production environment first if feasible. Verify successful patch application by confirming the new firmware version and re-running vulnerability scans. Given the criticality score, prioritize patching of internet-facing or DMZ-deployed routers first.

Detection guidance

Monitor network traffic for suspicious connections to the Admin Access port on IR-series devices. Implement intrusion detection signatures targeting command injection payloads targeting this vulnerability (consult vendor advisories for indicator patterns). Review device logs and syslog for unexpected command execution, privilege escalation events, or unauthorized administrative access. Deploy endpoint detection tools on management networks that interact with these routers. Hunt for signs of post-exploitation activity such as new user accounts, cron job modifications, or persistent mechanisms. Correlate alerts across your router fleet to identify coordinated or widespread attack attempts.

Why prioritize this

CVE-2026-38702 merits immediate remediation due to its CVSS 9.8 criticality score, complete lack of access controls, remote and unauthenticated attack vector, and potential for wholesale infrastructure compromise. Industrial routers are foundational trust boundaries in OT networks; their compromise enables attacker persistence and lateral movement. The combination of zero friction to exploitation and high business impact places this among the most dangerous vulnerabilities for organizations operating IR-series devices.

Risk score, explained

The CVSS 3.1 score of 9.8 (CRITICAL) reflects: (1) Network Attack Vector—exploitation requires only network access, no physical or local presence; (2) Low Attack Complexity—no special conditions or tools required; (3) No Privileges Required—unauthenticated attackers can trigger the flaw; (4) No User Interaction—attack succeeds without victim action; (5) Unchanged Scope—impact limited to the vulnerable component; (6) High Confidentiality, Integrity, and Availability Impact—successful exploitation grants root access enabling complete system compromise. The only reason the score is not 10.0 is the unchanged scope classification.

Frequently asked questions

How can I determine if my InHand Networks router is vulnerable?

Check your device's current firmware version via the web management console or CLI. Cross-reference against the affected versions: IR302 ≤ V3.5.108, IR305 ≤ V1.0.118, IR315 ≤ V1.0.118, IR615 ≤ V1.0.118. If your firmware version is at or below these thresholds, your device is vulnerable. Consult your device's serial number and model sticker for exact identification.

Is this vulnerability currently being exploited in the wild?

As of the published date, CVE-2026-38702 has not been added to CISA's Known Exploited Vulnerabilities (KEV) catalog, indicating no confirmed public exploitation has been formally documented. However, given the severity and accessibility of the flaw, defenders should assume opportunistic scanning and exploitation attempts may occur shortly after public disclosure.

What should I do if my organization cannot patch immediately?

Implement network-level protections: restrict inbound access to the Admin Access feature using firewalls, VPNs, or network segmentation, limiting connections to trusted management subnets only. Disable the Admin Access feature if operationally feasible. Enable enhanced logging and monitoring on affected devices. Increase surveillance for suspicious command patterns in device logs. Develop a phased patching schedule prioritizing internet-facing or less-critical devices first.

Does this vulnerability require authentication to exploit?

No. The vulnerability is unauthenticated, meaning an attacker does not need valid credentials or prior access to the device. This is one of the factors contributing to its critical severity rating. Any network-reachable device is potentially exploitable without authentication barriers.

This analysis is based on vendor security data and CVSS calculations as of the publication date. Patch versions, compatibility matrices, and detailed exploitation techniques should be verified against official InHand Networks security advisories before implementation. Organizations should conduct their own risk assessment and testing in isolated environments prior to production deployment of patches. SEC.co makes no warranty regarding the completeness or accuracy of remediation guidance and recommends consulting with your vendor and internal security teams. No proof-of-concept or exploit code is provided herein. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Preview — this page is review (quality 0.975). high-value: hold for review.