Impact
InHand Networks IR912 and IR915 routers running firmware V1.0.0.r20042 and any earlier releases ship a Python export function that contains a CWE‑77 command‑injection flaw. A remote attacker who can supply crafted input to this endpoint can cause arbitrary shell commands to be executed with root privileges, giving full control over the device.
Affected Systems
The vulnerability affects InHand Networks IR912 and IR915 routers. All firmware builds equal to or older than V1.0 impacted; no other vendors or product lines are listed.
Risk and Exploitability
The CVSS score is 9.8, indicating a critical severity. EPSS is 1% and the vulnerability is not listed in KEV, so the likelihood of exploitation remains relatively low. Nonetheless, the attack only requires a crafted request to the export function over the network, so a remote attack vector is theoretically possible. If the function is exposed to untrusted hosts, an attacker could potentially gain root control, but the low EPSS score suggests that exploitation is not highly probable at present.
OpenCVE Enrichment