Impact
A command injection flaw exists in the log‑viewing feature of InHand Networks IR912 and IR915 devices. Attackers can supply crafted input that bypasses input validation, allowing execution of arbitrary commands as root. This provides attacker to take control of the router, pivot to other network hosts, or establish persistent footholds.
Affected Systems
Devices running InHand Networks IR912 or IR915 firmware version V1.0.0.r20042 and earlier are affected. The vulnerability resides specifically in the device’s log‑viewing functionality exposed via the management interface.
Risk and Exploitability
The CVSS score of 9.8 indicates critical severity, while the EPSS score of 1%. The vulnerability is not listed in CISA KEV. The likely attack vector is remote, targeting the log‑viewer interface over the device’s management network. Exploitation requires only to the vulnerable function, presenting a low barrier for any attacker who can reach the device externally.
OpenCVE Enrichment