CVE-2026-38707
Received
Received - Intake
Command Injection in InHand Networks IR Series VPN Firmware
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: MITRE
Description
Description
A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| inhand_networks | ir302 | 3.5.108 |
| inhand_networks | ir305 | 1.0.118 |
| inhand_networks | ir315 | 1.0.118 |
| inhand_networks | ir615 | to 3.5.108 (exc) |
| inhand_networks | ir615 | to 1.0.118 (exc) |
Helpful Resources
Exploitability
CWE
KEV
| CWE ID | Description |
|---|---|
| CWE-UNKNOWN |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a command injection flaw found in the IPSec VPN feature of certain InHand Networks devices running specific firmware versions. It allows attackers to execute arbitrary commands on the affected device.
By exploiting this vulnerability, attackers can gain ROOT privileges on remote target devices, meaning they can take full control over the device.
How can this vulnerability impact me? :
If exploited, this vulnerability can allow an attacker to gain root-level access to your device remotely.
- Complete control over the device, including the ability to modify configurations, install malicious software, or disrupt services.
- Potential compromise of sensitive data handled by the device.
- Use of the compromised device as a foothold for further attacks within your network.
Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70