Description
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This CVE describes a command injection vulnerability in the Python configuration function of InHand Networks IR912 and IR915 firmware. An attacker who can send a crafted input can execute arbitrary shell commands with root privileges, giving complete control over the device. The flaw is a classic command injection (CWE-77) that bypasses input validation and allows remote control of the system without requiring local access or additional exploits, effectively compromising confidentiality, integrity, and availability.

Affected Systems

The affected products are the InHand Networks IR912 and IR915 network controllers running firmware version V1.0.0.r20042 and all earlier releases. The vulnerability applies to both device models and to any firmware build that has not been updated past the mentioned version.

Risk and Exploitability

The CVSS score of 9.8 classifies this vulnerability as critical, and the EPSS score of 1% suggests a low but non‑zero probability of exploitation in the wild. The flaw can be exploited remotely by accessing the device’s configuration interface; a malicious user can submit the crafted payload to the vulnerable Python function and obtain root‑level execution. The vulnerability is not listed in the CISA KEV catalog, which means no public exploit has yet been confirmed, but the technical description indicates remote attackers can already gain full device control, keeping the risk high until a patch is applied.

Generated by OpenCVE AI on June 24, 2026 at 13:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released for the IR912 and IR915 devices that resolves the command injection flaw.
  • Until a patch is available, restrict external network access to the devices by placing them behind a firewall or in a closed network segment and blocking all unsolicited traffic.
  • Implement strict input validation on the device’s Python configuration function or disable external configuration interfaces that are not required for operation, thereby mitigating the command injection risk.
  • Enable logging and monitoring of configuration changes and suspicious activity to detect any unauthorized attempts to exploit the vulnerability.

Generated by OpenCVE AI on June 24, 2026 at 13:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Inhand
Inhand ir912
Inhand ir915
Vendors & Products Inhand
Inhand ir912
Inhand ir915

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand IR912/IR915 Firmware Enables Remote Root Execution

Wed, 24 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand IR912/IR915 Firmware Enables Remote Root Execution

Wed, 24 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Firmware Allows Remote Root Execution

Wed, 24 Jun 2026 02:15:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Firmware Allows Remote Root Execution

Wed, 24 Jun 2026 00:30:00 +0000

Type Values Removed Values Added
Title Command Injection Allowing Remote Code Execution in InHand Networks IR912/IR915 Firmware

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Title Command Injection Allowing Remote Code Execution in InHand Networks IR912/IR915 Firmware

Tue, 23 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title InHand Networks IR912/IR915 Firmware Command Injection Exploiting Root Access

Tue, 23 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Remote Root Command Injection in InHand Networks IR912/IR915 Firmware InHand Networks IR912/IR915 Firmware Command Injection Exploiting Root Access

Tue, 23 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Remote Root Command Injection in InHand Networks IR912/IR915 Firmware

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Firmware Allows Remote Root Execution

Thu, 18 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Firmware Allows Remote Root Execution

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-18T17:41:22.797Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38714

cve-icon Vulnrichment

Updated: 2026-06-18T17:40:57.864Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:42:18Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')