Description
A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
Published: 2026-05-28
Score: 9.8 Critical
EPSS: 1.2% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the Admin Access feature of InHand Networks IR firmware, allowing an attacker to execute arbitrary shell commands with the privileges of the device’s operating system. This vulnerability directly enables remote acquisition of full root control, compromising the confidentiality, integrity, and availability of the affected device.

Affected Systems

InHand Networks IR302 firmware V3.5.108 and all earlier releases; IR305 firmware V1.0.118 and all earlier releases; IR315 firmware V1.0.118 and all earlier releases; IR615 firmware V1.0.118 and all earlier releases.

Risk and Exploitability

The CVSS score of 9.8 marks this issue as very high severity. EPSS has no available data, and the vulnerability is not listed in CISA KEV. The attack most likely targets the device’s administrative interface, where an attacker can inject a command string that the operating system runs as root. Because the flaw allows arbitrary code execution remotely, exploitation is considered highly probable if the Admin Access interface is reachable from outside the trusted network.

Generated by OpenCVE AI on May 28, 2026 at 20:54 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update as specified in the vendor’s advisory.
  • Restrict administrative access to the device by limiting the Admin Access interface to a secure internal network, using firewall rules or IP whitelisting to block untrusted connections.
  • If the Admin Access feature is not required, disable or remove it to reduce the attack surface until a patch can be applied.
  • Monitor the device for suspicious activity and consider additional network segmentation to contain any potential compromise.

Generated by OpenCVE AI on May 28, 2026 at 20:54 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 29 May 2026 14:15:00 +0000

Type Values Removed Values Added
First Time appeared Inhandnetworks
Inhandnetworks ir302
Inhandnetworks ir302 Firmware
Inhandnetworks ir305
Inhandnetworks ir305 Firmware
Inhandnetworks ir315
Inhandnetworks ir315 Firmware
Inhandnetworks ir615
Inhandnetworks ir615 Firmware
CPEs cpe:2.3:h:inhandnetworks:ir302:-:*:*:*:*:*:*:*
cpe:2.3:h:inhandnetworks:ir305:-:*:*:*:*:*:*:*
cpe:2.3:h:inhandnetworks:ir315:-:*:*:*:*:*:*:*
cpe:2.3:h:inhandnetworks:ir615:-:*:*:*:*:*:*:*
cpe:2.3:o:inhandnetworks:ir302_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:inhandnetworks:ir305_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:inhandnetworks:ir315_firmware:*:*:*:*:*:*:*:*
cpe:2.3:o:inhandnetworks:ir615_firmware:*:*:*:*:*:*:*:*
Vendors & Products Inhandnetworks
Inhandnetworks ir302
Inhandnetworks ir302 Firmware
Inhandnetworks ir305
Inhandnetworks ir305 Firmware
Inhandnetworks ir315
Inhandnetworks ir315 Firmware
Inhandnetworks ir615
Inhandnetworks ir615 Firmware

Thu, 28 May 2026 21:15:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR Firmware Allows Remote Root Access

Thu, 28 May 2026 19:15:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR Firmware Allows Remote Root Access

Thu, 28 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
References

Subscriptions

Inhandnetworks Ir302 Ir302 Firmware Ir305 Ir305 Firmware Ir315 Ir315 Firmware Ir615 Ir615 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T17:38:36.042Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38702

cve-icon Vulnrichment

Updated: 2026-05-28T17:38:32.451Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-28T17:16:21.177

Modified: 2026-05-29T14:09:18.733

Link: CVE-2026-38702

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T21:19:36Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')