Impact
This CVE describes a command injection vulnerability in the Python configuration function of InHand Networks IR912 and IR915 firmware. An attacker who can send a crafted input can execute arbitrary shell commands with root privileges, giving complete control over the device. The flaw is a classic command injection (CWE-77) that bypasses input validation and allows remote control of the system without requiring local access or additional exploits, effectively compromising confidentiality, integrity, and availability.
Affected Systems
The affected products are the InHand Networks IR912 and IR915 network controllers running firmware version V1.0.0.r20042 and all earlier releases. The vulnerability applies to both device models and to any firmware build that has not been updated past the mentioned version.
Risk and Exploitability
The CVSS score of 9.8 classifies this vulnerability as critical, and the EPSS score of 1% suggests a low but non‑zero probability of exploitation in the wild. The flaw can be exploited remotely by accessing the device’s configuration interface; a malicious user can submit the crafted payload to the vulnerable Python function and obtain root‑level execution. The vulnerability is not listed in the CISA KEV catalog, which means no public exploit has yet been confirmed, but the technical description indicates remote attackers can already gain full device control, keeping the risk high until a patch is applied.
OpenCVE Enrichment