Description
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
Published: 2026-05-28
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the ZeroTier VPN feature of InHand Networks firmware for IR302, IR305, IR315, and IR615 devices. By sending crafted packets, an attacker can cause the VPN daemon to execute arbitrary commands, which grants full root privileges on the affected device. This flaw directly compromises confidentiality, integrity, and availability by enabling an attacker to fully control the device.

Affected Systems

InHand Networks firmware versions V3.5.108 for IR302, V1.0.118 for IR305, IR315, and IR615, as well as any earlier build of these devices. Users operating these models should verify the firmware version in use and consider updating to a version that includes the fix.

Risk and Exploitability

The exploit requires remote access to the ZeroTier VPN interface; the exact attack vector is likely a crafted VPN packet sent over the network. No EPSS score is available and the vulnerability is not listed in CISA KEV, but the potential impact of gaining root means the risk remains high. Attackers could abuse this flaw to install malware, exfiltrate data, or pivot to other network assets.

Generated by OpenCVE AI on May 28, 2026 at 18:27 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update all affected devices to the latest firmware release that contains the ZeroTier VPN patch.
  • If an update is not yet available, disable the ZeroTier VPN feature in device settings or block its traffic with firewall rules.
  • Monitor device logs for unexpected command execution patterns and restrict VPN access to trusted networks.

Generated by OpenCVE AI on May 28, 2026 at 18:27 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 28 May 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 17:00:00 +0000

Type Values Removed Values Added
Description A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-28T17:38:09.540Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38703

cve-icon Vulnrichment

Updated: 2026-05-28T17:38:02.525Z

cve-icon NVD

Status : Received

Published: 2026-05-28T17:16:21.293

Modified: 2026-05-28T18:16:31.737

Link: CVE-2026-38703

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T18:30:23Z

Weaknesses