Impact
The vulnerability is a command injection flaw in the file upload function of InHand Networks IR912 and IR915. A remote attacker can send a specially crafted file that causes the system to execute arbitrary shell commands with root privileges. This gives full control over the device, allowing compromise of confidentiality, integrity, and availability.
Affected Systems
InHand Networks IR912 and IR915 running firmware version 1.0.0.r20042 or earlier are affected.
Risk and Exploitability
The most probable attack path is a remote file upload that reaches a network-exposed API; the description speaks of a "crafted input" that forces execution, so it is inferred that an attacker can use this endpoint to trigger command injection. The EPSS score of 1% shows a small, yet non-zero likelihood for exploitation, while the CVSS score of 9.8 confirms critical severity. Root-level impact demonstrates a high-risk vulnerability. The vulnerability is not listed in the CISA KEV catalog, but the possibility of full device takeover demands immediate remediation.
OpenCVE Enrichment