CVE-2026-38704

CRITICAL

InHand Networks IR302 V3.5.108, IR305/315/615 V1.0.118 - WireGuard VPN Command Injection

Title source: llm

Description

A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

References (1)

Core 1

Core References

https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf

Scores

CVSS v3 9.8

EPSS 0.0127

EPSS Percentile 65.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-77

Status published

Products (4)

inhandnetworks/ir302_firmware < 3.5.112

inhandnetworks/ir305_firmware < 1.0.121

inhandnetworks/ir315_firmware < 1.0.121

inhandnetworks/ir615_firmware < 1.0.121

Published May 28, 2026

Tracked Since May 28, 2026