Description
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in InHand Networks IR912 and IR915 firmware that allows an attacker to run arbitrary commands on the device as root. The flaw is triggered by crafted input to the Python configuration function, meaning that no local privileges are required; anyone who can reach the vulnerable interface can immediately gain full system control, with no user interaction needed.

Affected Systems

The affected devices are InHand Networks IR912 and IR915 running firmware versions V1.0.0.r20042 and all earlier releases. The exact product names are InHand IR912 and IR915 network controllers.

Risk and Exploitability

Because the flaw permits remote execution of code with root privileges, the potential impact is total compromise of confidentiality, integrity, and availability of the device. The vulnerability is highly severe, and although EPSS data is unavailable and it is not listed in the CISA KEV catalog, the absence of mitigation means any remote attacker could exploit it at will. The likely attack vector is remote access to the device’s configuration interface, which is commonly exposed to the management network. The CVSS score of 9.8 confirms a critical rating.

Generated by OpenCVE AI on June 18, 2026 at 22:06 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released for the device that removes the vulnerability.
  • If a patch is not yet available, limit all external access to the device to a closed, trusted network segment and enforce strict firewall rules to block unsolicited traffic.
  • Implement network segmentation and monitoring to detect any anomalous configuration changes or unauthorized access attempts.

Generated by OpenCVE AI on June 18, 2026 at 22:06 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Firmware Allows Remote Root Execution

Thu, 18 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Firmware Allows Remote Root Execution

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-18T17:41:22.797Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38714

cve-icon Vulnrichment

Updated: 2026-06-18T17:40:57.864Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T22:15:04Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')