Description
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

InHand Networks IR912 and IR915 routers running firmware V1.0.0.r20042 and any earlier releases ship a Python export function that contains a CWE‑77 command‑injection flaw. A remote attacker who can supply crafted input to this endpoint can cause arbitrary shell commands to be executed with root privileges, giving full control over the device.

Affected Systems

The vulnerability affects InHand Networks IR912 and IR915 routers. All firmware builds equal to or older than V1.0 impacted; no other vendors or product lines are listed.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical severity. EPSS is 1% and the vulnerability is not listed in KEV, so the likelihood of exploitation remains relatively low. Nonetheless, the attack only requires a crafted request to the export function over the network, so a remote attack vector is theoretically possible. If the function is exposed to untrusted hosts, an attacker could potentially gain root control, but the low EPSS score suggests that exploitation is not highly probable at present.

Generated by OpenCVE AI on June 24, 2026 at 11:36 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest InHand Networks firmware that fixes the command‑injection vulnerability.
  • Disable or tightly restrict the export functionality to a trusted administrative subnet via firewall rules.
  • If a patch is not immediately available, remove the Python export service from the device or block access to its port.
  • Deploy IDS or log monitoring to detect anomalous commands executed via the export endpoint.

Generated by OpenCVE AI on June 24, 2026 at 11:36 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Inhandnetworks
Inhandnetworks ir912
Inhandnetworks ir915
Vendors & Products Inhandnetworks
Inhandnetworks ir912
Inhandnetworks ir915

Wed, 24 Jun 2026 12:00:00 +0000

Type Values Removed Values Added
Title Remote Command Injection in InHand Networks IR912/IR915 Firmware

Wed, 24 Jun 2026 06:45:00 +0000

Type Values Removed Values Added
Title Remote Command Injection in InHand Networks IR912/IR915 Firmware

Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Remote Command Injection in InHand Networks IR912 and IR915 Routers

Tue, 23 Jun 2026 23:00:00 +0000

Type Values Removed Values Added
Title Remote Command Injection in InHand Networks IR912 and IR915 Routers

Tue, 23 Jun 2026 18:45:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Export Function Allows Root Access

Tue, 23 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Export Function Allows Root Access

Tue, 23 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Remote Command Injection in InHand Networks Router Export Function

Thu, 18 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Remote Command Injection in InHand Networks Router Export Function

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Exposing Root Access
Weaknesses CWE-78

Thu, 18 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Exposing Root Access
Weaknesses CWE-78

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
References

Subscriptions

Inhandnetworks Ir912 Ir915
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-18T17:45:17.271Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38716

cve-icon Vulnrichment

Updated: 2026-06-18T17:44:24.646Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:42:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')