PatchSiren cyber security CVE debrief
CVE-2026-38703 InHand Networks CVE debrief
A critical command injection vulnerability in the ZeroTier VPN feature of InHand Networks industrial routers allows unauthenticated remote attackers to execute arbitrary commands with ROOT privileges. The vulnerability affects IR302 (V3.5.108 and earlier), IR305, IR315, and IR615 (all V1.0.118 and earlier). The CVSS 3.1 score of 9.8 reflects network attack vector, low complexity, no privileges required, and high impact across confidentiality, integrity, and availability. The vendor has published a security advisory acknowledging the issue. Organizations using affected firmware versions should prioritize patching given the unauthenticated remote exploitation path and complete system compromise potential.
- Vendor
- InHand Networks
- Product
- IR302, IR305, IR315, IR615 industrial routers (ZeroTier VPN feature)
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-28
- Original CVE updated
- 2026-05-29
- Advisory published
- 2026-05-28
- Advisory updated
- 2026-05-29
Who should care
Organizations operating InHand Networks IR302, IR305, IR315, or IR615 industrial routers with ZeroTier VPN enabled; critical infrastructure operators; remote monitoring and SCADA system administrators; managed service providers deploying these devices for industrial IoT connectivity; security teams responsible for OT/ICS network perimeter defense
Technical summary
The vulnerability exists in the ZeroTier VPN implementation within InHand Networks industrial router firmware. Insufficient input validation allows command injection through the VPN configuration interface, enabling unauthenticated remote attackers to inject and execute arbitrary operating system commands. Successful exploitation grants ROOT-level access to the underlying Linux-based operating system, providing complete control over the device. The attack requires network access to the device's ZeroTier VPN service but no authentication credentials. Affected devices are commonly deployed in industrial and remote access scenarios, potentially exposing operational technology environments to remote compromise.
Defensive priority
critical
Recommended defensive actions
- Immediate: Identify all InHand Networks IR302, IR305, IR315, and IR615 devices in inventory and verify firmware versions against affected releases (IR302 V3.5.108 and earlier; IR305/IR315/IR615 V1.0.118 and earlier)
- Immediate: Apply vendor-supplied firmware updates per InHand PSA-2026-05 security advisory when available
- Immediate: Restrict network access to ZeroTier VPN management interfaces to authorized administrative hosts only
- Immediate: Monitor for anomalous command execution or privilege escalation attempts on affected devices
- Short-term: Disable ZeroTier VPN feature if not required for operations until patching is complete
- Short-term: Implement network segmentation to isolate affected industrial routers from critical operational technology networks
- Short-term: Review device logs for indicators of compromise including unexpected ROOT-level activity or configuration changes
- Medium-term: Establish firmware version tracking and vulnerability management program for industrial IoT/OT devices
Evidence notes
CVE description confirms command injection in ZeroTier VPN feature with ROOT privilege escalation. NVD record shows vulnerability status as 'Undergoing Analysis' with CVSS vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. Vendor reference links to InHand PSA-2026-05 security advisory. CWE-77 (Command Injection) assigned. Affected products and firmware versions explicitly listed in CVE description.
Official resources
-
CVE-2026-38703 CVE record
CVE.org
-
CVE-2026-38703 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
2026-05-28