CRITICAL 9.8

CVE-2026-38704: Critical RCE in InHand Networks WireGuard VPN — IR302, IR305, IR315, IR615

A critical command injection vulnerability has been identified in InHand Networks industrial routers that allows unauthenticated remote attackers to execute arbitrary system commands with root-level privileges. The vulnerability exists in the WireGuard VPN feature across multiple device models and firmware versions. An attacker with network access to the affected device needs only to send a specially crafted command to gain complete control of the system.

Source data · NVD / CISA · public domain

CVSS
3.1 · 9.8 CRITICAL · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weaknesses (CWE)
CWE-77
Affected products
8 configuration(s)
Published / Modified
2026-05-28 / 2026-06-17

NVD description (verbatim)

A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

1 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-38704 is a command injection vulnerability (CWE-77) present in the WireGuard VPN implementation of InHand Networks industrial routers. The flaw permits unauthenticated remote code execution with root privileges. The vulnerability affects IR302 firmware V3.5.108 and earlier, IR305 firmware V1.0.118 and earlier, IR315 firmware V1.0.118 and earlier, and IR615 firmware V1.0.118 and earlier. The CVSS 3.1 score of 9.8 reflects the network-based attack vector, absence of authentication requirements, and complete impact across confidentiality, integrity, and availability.

Business impact

Compromise of an affected InHand router enables attackers to intercept, modify, or disrupt all network traffic passing through the device. In industrial or enterprise environments where these devices serve as edge gateways or VPN concentrators, successful exploitation could result in loss of sensitive data, disruption of critical operations, and unauthorized access to downstream network segments. The root-level access obtained by attackers permits persistent backdoor installation and lateral movement into connected infrastructure.

Affected systems

InHand Networks IR302, IR305, IR315, and IR615 router models are affected. Organizations should verify their inventory against these models and check current firmware versions: IR302 devices running V3.5.108 or earlier, IR305 devices running V1.0.118 or earlier, IR315 devices running V1.0.118 or earlier, and IR615 devices running V1.0.118 or earlier. Industrial deployments, remote office connectivity solutions, and VPN-centric architectures relying on these devices face the highest risk.

Exploitability

This vulnerability presents exceptional exploitability. No user interaction is required, authentication is not needed, and the attack is deliverable over the network without special conditions. An attacker need only send a malicious input to the WireGuard VPN interface to trigger command execution. The simplicity of exploitation combined with the absence of authentication barriers creates immediate risk in any environment where affected devices are internet-facing or accessible from untrusted networks.

Remediation

Organizations must prioritize firmware updates to versions newer than those listed as vulnerable. Contact InHand Networks to obtain and deploy patched firmware versions for your specific device models. Interim mitigations should include restricting network access to the WireGuard VPN interface via firewall rules, disabling the VPN feature if not in active use, and isolating affected devices on segmented networks. After patching, perform network scans to detect signs of prior compromise.

Patch guidance

Consult InHand Networks product security advisories for firmware versions that address CVE-2026-38704 for your specific device model. Verify vendor download portals and release notes for the appropriate patched firmware version numbers, as patch availability and versioning may differ by model. Test patches in a controlled environment before production deployment. Document pre- and post-patch device configurations to support compliance verification.

Detection guidance

Monitor for unusual process execution or command activity originating from affected InHand devices, particularly commands spawned through the WireGuard VPN process. Network intrusion detection systems should flag anomalous connections to management interfaces or unexpected outbound connections from the device. Log examination should focus on VPN interface activity and authentication failures. Conduct forensic review of devices known to be exposed to untrusted networks during the vulnerability window to identify evidence of exploitation.

Why prioritize this

With a CVSS score of 9.8 and unauthenticated remote code execution yielding root access, this vulnerability ranks among the most severe security issues. The combination of network accessibility, lack of authentication requirements, and complete system compromise potential mandates immediate action. Although not yet listed on the CISA KEV catalog, the exploitability profile and impact scope warrant treating this as a zero-day equivalent in terms of organizational response priority. Industrial and critical infrastructure operators should treat this as an emergency patch event.

Risk score, explained

The CVSS 3.1 score of 9.8 (Critical) is driven by: network-based attack vector (AV:N), low attack complexity with no special conditions required (AC:L), no privileges or user interaction needed (PR:N/UI:N), unrestricted scope (S:U), and complete compromise of confidentiality, integrity, and availability (C:H/I:H/A:H). Root-level access and the absence of any authentication or interaction requirements produce a score at the extreme end of the severity spectrum.

Frequently asked questions

Which InHand device models are affected?

The vulnerability affects IR302, IR305, IR315, and IR615 router models. Verify your device model and firmware version against the affected versions listed: IR302 V3.5.108 and earlier, IR305 V1.0.118 and earlier, IR315 V1.0.118 and earlier, IR615 V1.0.118 and earlier.

Do I need authentication to exploit this vulnerability?

No. This is an unauthenticated remote code execution vulnerability. An attacker with network access to the device's WireGuard VPN interface can exploit it without any credentials or user interaction.

Can I use a firewall to protect my device while waiting for patches?

Yes. Restrict network access to the WireGuard VPN interface using firewall rules, permitting only trusted source addresses. However, this is a temporary mitigation; patching remains essential. Disable the WireGuard VPN feature entirely if it is not currently in use.

What should I do if I suspect my device has been compromised?

Isolate the device from production networks, preserve logs and system state for forensic analysis, and contact InHand Networks support. Assume that root-level access may have been obtained and prepare for potential lateral movement into connected systems. Conduct network segmentation reviews and credential audits on systems that trust the affected device.

This analysis is provided for informational purposes and does not constitute professional security advice specific to your environment. All information is derived from published vulnerability reports and vendor advisories as of the date stated. Verify all patch versions, affected firmware levels, and remediation steps directly with InHand Networks official documentation before implementation. SEC.co and its analysts bear no liability for actions taken or omitted based on this intelligence. Organizations must conduct their own risk assessments considering their specific infrastructure, threat model, and regulatory obligations. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).

Preview — this page is review (quality 0.975). high-value: hold for review.