CVE-2026-38707

CRITICAL

InHand Networks IR302 V3.5.108 IR305 IR315 IR615 <= V1.0.118 - Command Injection in IPSec VPN Feature

Title source: llm

Description

A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

References (1)

Core 1

Core References

https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf

Scores

CVSS v3 9.8

EPSS 0.0124

EPSS Percentile 65.2%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable yes

Technical Impact total

Details

CWE

CWE-77

Status published

Products (4)

inhandnetworks/ir302_firmware < 3.5.112

inhandnetworks/ir305_firmware < 1.0.121

inhandnetworks/ir315_firmware < 1.0.121

inhandnetworks/ir615_firmware < 1.0.121

Published May 28, 2026

Tracked Since May 28, 2026