Description
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

InHand Networks IR912 and IR915 routers running firmware V1.0.0.r20042 and any earlier releases ship a Python export function that contains a command‑injection flaw. A remote attacker who can supply crafted input to this endpoint can cause arbitrary shell commands to be executed with root privileges, giving full control over the device.

Affected Systems

The vulnerability affects InHand Networks IR912 and IR915 routers. All firmware builds equal to or older than V1.0.0.r20042 are impacted; no other vendors or product lines are listed.

Risk and Exploitability

The CVSS score is 9.8, indicating a critical severity. EPSS is not available and the flaw is not listed in KEV, but because the attack requires only a crafted request to the export function, the likely attack vector is remote over the network. If the function is exposed to untrusted hosts, exploitation is highly probable, allowing an attacker to take full ownership of the device.

Generated by OpenCVE AI on June 18, 2026 at 23:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest InHand Networks firmware that fixes the command‑injection vulnerability.
  • Disable or tightly restrict the export functionality to a trusted administrative subnet via firewall rules.
  • If a patch is not immediately available, remove the Python export service from the device or block access to its port.
  • Deploy IDS or log monitoring to detect anomalous commands executed via the export endpoint.

Generated by OpenCVE AI on June 18, 2026 at 23:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 23:45:00 +0000

Type Values Removed Values Added
Title Remote Command Injection in InHand Networks Router Export Function

Thu, 18 Jun 2026 22:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Exposing Root Access
Weaknesses CWE-78

Thu, 18 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Exposing Root Access
Weaknesses CWE-78

Thu, 18 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-18T17:45:17.271Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38716

cve-icon Vulnrichment

Updated: 2026-06-18T17:44:24.646Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T23:30:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')