CVE-2026-38703: InHand Networks IR302/305/315/615 Command Injection - ROOT Access
A command injection flaw in the ZeroTier VPN feature of InHand Networks industrial routers allows unauthenticated remote attackers to execute arbitrary commands with root privileges. The vulnerability affects multiple IR-series models and versions up to and including IR302 V3.5.108, IR305 V1.0.118, IR315 V1.0.118, and IR615 V1.0.118. No authentication or user interaction is required to exploit this issue, making it a severe risk for any organization with these devices exposed on untrusted networks.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 9.8 CRITICAL · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-77
- Affected products
- 8 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-06-17
NVD description (verbatim)
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
1 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability is classified as a command injection (CWE-77) that resides in the ZeroTier VPN implementation within InHand Networks firmware. The flaw permits attackers to inject and execute arbitrary shell commands by crafting malicious input to the VPN feature. Since the ZeroTier service typically runs with elevated privileges, successful exploitation grants ROOT-level access to the underlying device. The attack vector is network-based with no preconditions—attackers can reach vulnerable devices if they have network connectivity to the ZeroTier interface, whether directly or via the VPN itself. The CVSS 3.1 score of 9.8 reflects the combination of remote exploitability, lack of authentication, and complete system compromise.
Business impact
Organizations operating InHand Networks industrial routers in critical infrastructure, branch offices, or remote sites face immediate risk of device takeover. Compromised routers can be used as pivot points to attack internal networks, intercept traffic, deploy persistent malware, disrupt operations, or exfiltrate sensitive data. For sectors like manufacturing, utilities, and healthcare that rely on these devices for network connectivity, exploitation could result in operational downtime, data breaches, and regulatory penalties. The ROOT-level access granted by this vulnerability is particularly dangerous because attackers gain unrestricted control over router configuration, routing decisions, and any traffic flowing through the device.
Affected systems
InHand Networks IR302 (firmware V3.5.108 and earlier), IR305 (firmware V1.0.118 and earlier), IR315 (firmware V1.0.118 and earlier), and IR615 (firmware V1.0.118 and earlier) are confirmed vulnerable. Devices running these firmware versions should be considered compromisable unless network segmentation or other controls prevent untrusted access to the ZeroTier VPN interface. Organizations should inventory all InHand routers in their environment and determine which models and firmware versions are deployed.
Exploitability
This vulnerability has a low barrier to exploitation. No authentication is required, the attack is network-accessible, and there are no user interaction requirements. While a public exploit has not been documented in CISA's Known Exploited Vulnerabilities catalog, the straightforward nature of command injection attacks and the high visibility of critical infrastructure devices make exploitation likely if the vulnerability remains unpatched. Any attacker with network-level access to a vulnerable ZeroTier VPN port can trigger the vulnerability.
Remediation
Organizations must prioritize patching immediately. InHand Networks has released firmware updates that address this vulnerability; consult the vendor's security advisory to obtain the specific patched firmware versions for each IR model in your environment. Firmware updates should be tested in a non-production environment before deployment to industrial devices. In parallel, implement compensating controls: restrict network access to the ZeroTier VPN interface using firewall rules, disable ZeroTier if it is not operationally required, and place vulnerable devices behind network segmentation to limit lateral movement risk if compromise occurs.
Patch guidance
Verify against the InHand Networks security advisory for the correct patched firmware version applicable to your specific model (IR302, IR305, IR315, or IR615). The vulnerability advisory will specify the minimum firmware version that resolves this issue. Obtain firmware updates only from InHand Networks' official channels. Before deploying to production, test updates in a lab environment to ensure compatibility with your network configuration and any third-party integrations. Plan maintenance windows to minimize operational disruption; coordinate with engineering and operations teams if these routers carry critical traffic. After patching, verify that ZeroTier VPN connectivity is restored and that routing is functioning as expected.
Detection guidance
Monitor for unexpected ZeroTier VPN connection attempts or unusual activity on ports associated with the ZeroTier service. Log and alert on any command execution or process spawning from ZeroTier service processes, especially those running with elevated privileges. Examine device logs for evidence of suspicious ZeroTier traffic patterns, authentication failures, or configuration changes made remotely. Network-based detection can identify injection payloads in ZeroTier protocol traffic, though encrypted VPN traffic will obscure some command content. In addition to ZeroTier-specific monitoring, look for signs of post-exploitation activity: unexpected network connections from the router to external hosts, suspicious SSH or Telnet login attempts, or unexpected changes to the device's running configuration or firmware.
Why prioritize this
This vulnerability merits immediate patching because it is CRITICAL (CVSS 9.8), requires no authentication or user interaction, affects widely-deployed industrial network equipment, and permits full device compromise. The combination of remote exploitability, ROOT privilege escalation, and lack of preconditions makes it one of the highest-priority vulnerabilities for organizations operating InHand Networks routers. Organizations without these specific models can deprioritize, but those with affected devices should treat this as an emergency patch.
Risk score, explained
The CVSS 3.1 vector (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) yields a score of 9.8 (CRITICAL) due to the combination of network attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction needed (UI:N), unchanged scope (S:U), and high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). This represents a vulnerability that can be exploited by any networked attacker without special circumstances or authentication.
Frequently asked questions
Do I need to have ZeroTier enabled on my InHand router for it to be vulnerable?
Yes, the vulnerability exists in the ZeroTier VPN feature specifically. If ZeroTier is not enabled or installed, the attack surface is reduced. However, if you are unsure whether ZeroTier is running, you should check your device configuration immediately. If ZeroTier is not operationally required, disabling it is a valid interim control while you plan patching.
What happens if an attacker exploits this vulnerability on one of my routers?
An attacker gains ROOT-level access to the affected router. This allows them to modify routing rules, intercept or redirect traffic, install persistent backdoors, extract credentials, or use the router as a pivot point to attack your internal network. The impact is essentially complete device compromise.
Are there any workarounds if I cannot patch immediately?
Temporary mitigation includes restricting network access to the ZeroTier VPN port using firewall rules or network ACLs, disabling ZeroTier if it is not required for operations, and segmenting the router network-wise so that if it is compromised, lateral movement is limited. However, these are not substitutes for patching. Prioritize obtaining and applying the vendor patch as soon as feasible.
How do I know which firmware version my InHand router is running?
Log into the router's management interface (typically via web portal or CLI) and check the system information or firmware version setting. Once you have identified your model and current firmware version, cross-reference it against InHand Networks' security advisory to determine if your device is vulnerable and which patched version you should upgrade to.
This analysis is provided for informational purposes and does not constitute legal advice, professional security advice, or a guarantee of accuracy. While this vulnerability summary is based on published CVE data and vendor advisories, organizations should verify all technical details, affected product versions, and patch guidance directly with InHand Networks' official security advisories and technical documentation. Readers are responsible for assessing the applicability of this information to their environment and for obtaining professional guidance from qualified security practitioners before deploying patches or implementing mitigations. SEC.co makes no warranty regarding the completeness, accuracy, or timeliness of this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2024-52011HIGHCommand Injection in launch-editor via Malicious Filenames on Windows
- CVE-2026-10060MEDIUMTRENDnet TEW-432BRP Command Injection—End-of-Life Router Vulnerability
- CVE-2026-10061MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Remediation via Replacement
- CVE-2026-10127MEDIUMEdimax BR-6478AC Command Injection in Firmware 1.23
- CVE-2026-10166MEDIUMEdimax BR-6478AC Command Injection – Authentication Required
- CVE-2026-10180MEDIUMTRENDnet TEW-432BRP Command Injection Vulnerability – Hardware Retirement Required
- CVE-2026-10182MEDIUMTRENDnet TEW-432BRP Command Injection – Unpatched EOL Device
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
Preview — this page is review (quality 0.975). high-value: hold for review.