Description
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A command injection flaw exists in the log‑viewing feature of InHand Networks IR912 and IR915 devices. The vulnerability allows an attacker to supply crafted input that is passed unfiltered to the operating‑system command interpreter, enabling the execution of arbitrary commands with root privileges. The primary consequence is the compromise of the entire device, potentially allowing full control, lateral movement, or persistence on the network.

Affected Systems

Devices running InHand Networks IR912 and IR915 firmware versions V1.0.0.r20042 and earlier are affected. The flaw resides specifically in the log viewing functionality of these models.

Risk and Exploitability

The CVSS score is not provided in the available data, but the nature of the flaw—operating‑system command injection executing as root—suggests a high severity. The EPSS score is undisclosed, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is remote access to the log viewing interface, presumably over the device’s management network; this inference is drawn from the description which states that authenticated or unauthenticated remote attackers can trigger the exploit. The exploitation requires only the ability to submit crafted input to the vulnerable function, indicating a low barrier for an attacker who can reach the device externally.

Generated by OpenCVE AI on June 18, 2026 at 19:08 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Secure the device by applying any available firmware update that resolves the command injection in the log viewer.
  • If no update is available, restrict external access to the log viewing feature by firewalling the management port or applying IP‑based access controls.
  • Configure the device so that command execution for log viewing runs under a non‑root account and remove unnecessary super‑user privileges.

Generated by OpenCVE AI on June 18, 2026 at 19:08 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Log Viewer Enabling Remote Root Execution
Weaknesses CWE-78

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-18T17:38:56.568Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38715

cve-icon Vulnrichment

Updated: 2026-06-18T17:38:43.185Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T19:15:02Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')