Description
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the log‑viewing feature of InHand Networks IR912 and IR915 devices. Attackers can supply crafted input that bypasses input validation, allowing execution of arbitrary commands as root. This provides attacker to take control of the router, pivot to other network hosts, or establish persistent footholds.

Affected Systems

Devices running InHand Networks IR912 or IR915 firmware version V1.0.0.r20042 and earlier are affected. The vulnerability resides specifically in the device’s log‑viewing functionality exposed via the management interface.

Risk and Exploitability

The CVSS score of 9.8 indicates critical severity, while the EPSS score of 1%. The vulnerability is not listed in CISA KEV. The likely attack vector is remote, targeting the log‑viewer interface over the device’s management network. Exploitation requires only to the vulnerable function, presenting a low barrier for any attacker who can reach the device externally.

Generated by OpenCVE AI on June 24, 2026 at 12:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available firmware update that addresses the log‑viewer command injection flaw.
  • If a firmware update is not yet available, block or restrict external access to the log‑viewer feature by firewall IP‑based access controls.
  • Reconfigure the device so that log‑viewer commands execute under a non‑root account and remove unnecessary super‑user privileges.

Generated by OpenCVE AI on June 24, 2026 at 12:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Inhandnetworks
Inhandnetworks ir912
Inhandnetworks ir915
Vendors & Products Inhandnetworks
Inhandnetworks ir912
Inhandnetworks ir915

Wed, 24 Jun 2026 12:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Log Viewing Function

Wed, 24 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Title Command Injection via Log Viewer in InHand Networks IR912/IR915

Wed, 24 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Command Injection via Log Viewer in InHand Networks IR912/IR915

Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Log Viewer Enables Remote Root Execution

Tue, 23 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Log Viewer Enables Remote Root Execution

Tue, 23 Jun 2026 20:30:00 +0000

Type Values Removed Values Added
Title Remote Code Execution in InHand Networks IR912/IR915 Devices via Log Viewer Command Injection

Tue, 23 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Remote Code Execution in InHand Networks IR912/IR915 Devices via Log Viewer Command Injection

Tue, 23 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title InHand Networks Devices Command Injection via Log Viewer

Fri, 19 Jun 2026 00:15:00 +0000

Type Values Removed Values Added
Title InHand Networks Devices Command Injection via Log Viewer

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Log Viewer Enabling Remote Root Execution
Weaknesses CWE-78

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Log Viewer Enabling Remote Root Execution
Weaknesses CWE-78

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
References

Subscriptions

Inhandnetworks Ir912 Ir915
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-18T17:38:56.568Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38715

cve-icon Vulnrichment

Updated: 2026-06-18T17:38:43.185Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:42:17Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')