Description
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the file upload function of InHand Networks IR912 and IR915. A remote attacker can send a specially crafted file that causes the system to execute arbitrary shell commands with root privileges. This gives full control over the device, allowing compromise of confidentiality, integrity, and availability.

Affected Systems

InHand Networks IR912 and IR915 running firmware version 1.0.0.r20042 or earlier are affected.

Risk and Exploitability

Based on the description, it is inferred that the file upload function is exposed over the network, allowing a remote attacker to send a crafted file and trigger arbitrary command execution as root. Though no EPSS score is provided, the CVSS score of 9.8 indicates a critical severity, and the root‑level impact demonstrates a high‑risk vulnerability. The vulnerability is not listed in the CISA KEV catalog, but the potential for complete device takeover warrants immediate remediation.

Generated by OpenCVE AI on June 18, 2026 at 21:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware update or security patch released by InHand Networks for IR912 and IR915.
  • Restrict remote access to the file upload API by limiting exposure to authorized IP ranges or disabling the endpoint if it is not required.
  • Enforce strict input validation on file uploads or replace the vulnerable function with a secure implementation to prevent command injection.
  • Monitor device logs for anomalous command execution or repeated file upload attempts to detect exploitation attempts.

Generated by OpenCVE AI on June 18, 2026 at 21:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Command Injection in File Upload Allows Remote Root Execution

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 18 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Command Injection in File Upload Allows Remote Root Execution
Weaknesses CWE-78

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-18T17:43:38.972Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38717

cve-icon Vulnrichment

Updated: 2026-06-18T17:41:32.657Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T21:30:16Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')

  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')