CVE-2026-38702

Published: May 28, 2026Modified: May 29, 2026

9.8

Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Exploitability: 3.9 / Impact: 5.9

Source: 134c704f-9b21-4f2e-91b3-4a467353bcc0 (Secondary)

Description

A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

Affected (4)

Products: Inhandnetworks: Ir315 Firmware, Ir302 Firmware, Ir615 Firmware, Ir305 Firmware

4 products

Configuration A

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inhandnetworks Ir315 Firmware	Before 1.0.121

Running on/with	Platform Versions
Inhandnetworks Ir315	All versions

Configuration B

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inhandnetworks Ir302 Firmware	Before 3.5.112

Running on/with	Platform Versions
Inhandnetworks Ir302	All versions

Configuration C

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inhandnetworks Ir615 Firmware	Before 1.0.121

Running on/with	Platform Versions
Inhandnetworks Ir615	All versions

Configuration D

1 vulnerable · 1 platform

Vulnerable Software	Affected Versions
Inhandnetworks Ir305 Firmware	Before 1.0.121

Running on/with	Platform Versions
Inhandnetworks Ir305	All versions

Related CWEs

CWE-77

Improper Neutralization of Special Elements used in a Command ('Command Injection')

The product constructs all or part of a command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended command when it is sent to a downstream component.

References (1)

https://www.inhand.com/wp-content/uploads/InHand-PSA-2026-05_EN.pdf

Source: cve@mitre.org

Vendor Advisory

Timeline

No history available yet.