Description
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Published: 2026-06-18
Score: 9.8 Critical
EPSS: 1.3% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw in the file upload function of InHand Networks IR912 and IR915. A remote attacker can send a specially crafted file that causes the system to execute arbitrary shell commands with root privileges. This gives full control over the device, allowing compromise of confidentiality, integrity, and availability.

Affected Systems

InHand Networks IR912 and IR915 running firmware version 1.0.0.r20042 or earlier are affected.

Risk and Exploitability

The most probable attack path is a remote file upload that reaches a network-exposed API; the description speaks of a "crafted input" that forces execution, so it is inferred that an attacker can use this endpoint to trigger command injection. The EPSS score of 1% shows a small, yet non-zero likelihood for exploitation, while the CVSS score of 9.8 confirms critical severity. Root-level impact demonstrates a high-risk vulnerability. The vulnerability is not listed in the CISA KEV catalog, but the possibility of full device takeover demands immediate remediation.

Generated by OpenCVE AI on June 24, 2026 at 13:10 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Install the latest firmware update or security patch released by InHand Networks for IR912 and IR915.
  • Restrict remote access to the file upload API by limiting exposure to authorized IP ranges or disabling the endpoint if it is not required.
  • Enforce strict input validation on file uploads or replace the vulnerable function with a secure implementation to prevent command injection.
  • Monitor device logs for anomalous command execution or repeated file upload attempts to detect exploitation attempts.

Generated by OpenCVE AI on June 24, 2026 at 13:10 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 21:00:00 +0000

Type Values Removed Values Added
First Time appeared Inhandnetworks
Inhandnetworks ir912
Vendors & Products Inhandnetworks
Inhandnetworks ir912

Wed, 24 Jun 2026 13:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Firmware Enables Remote Root Access

Wed, 24 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912 and IR915 Firmware Enables Remote Root Access

Wed, 24 Jun 2026 03:30:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 File Upload Grants Root Access

Tue, 23 Jun 2026 22:45:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 File Upload Grants Root Access

Tue, 23 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Title Command Injection in File Upload Function of InHand Networks IR912/IR915

Tue, 23 Jun 2026 17:15:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Firmware via File Upload Command Injection in File Upload Function of InHand Networks IR912/IR915

Tue, 23 Jun 2026 16:15:00 +0000

Type Values Removed Values Added
Title Command Injection in InHand Networks IR912/IR915 Firmware via File Upload
Weaknesses CWE-78

Thu, 18 Jun 2026 21:45:00 +0000

Type Values Removed Values Added
Title Command Injection in File Upload Allows Remote Root Execution

Thu, 18 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-77
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Thu, 18 Jun 2026 19:00:00 +0000

Type Values Removed Values Added
Title Command Injection in File Upload Allows Remote Root Execution
Weaknesses CWE-78

Thu, 18 Jun 2026 16:45:00 +0000

Type Values Removed Values Added
Description InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
References

Subscriptions

Inhandnetworks Ir912
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-18T17:43:38.972Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38717

cve-icon Vulnrichment

Updated: 2026-06-18T17:41:32.657Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T20:42:15Z

Weaknesses
  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')