External risk intelligence

InHand Networks Routers Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38714

The affected products are industrial routers and networking appliances designed to provide network connectivity. These devices are typically deployed at the network edge, making their management interfaces or configuration functions commonly exposed to the internet or wide-area networks as part of their standard operation.

Command Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A command injection vulnerability has been discovered in specific InHand Networks industrial devices, allowing remote attackers to execute unauthorized commands with root privileges. This technical flaw could potentially impact the integrity and availability of network operations.

Remote attackers can execute commands on affected devices.
Executive attention needed for potential network infrastructure impact.
Confirm relevance and exposure of InHand industrial devices.

Attack Path

How an attacker could exploit the issue

An attacker can remotely trigger a command injection vulnerability in the Python configuration function of InHand Networks devices. This exposure allows unauthenticated attackers to send specially crafted input, leading to the execution of arbitrary commands with root privileges.

Accessible via network without authentication.
Inputting crafted data into the configuration function.
Remote command execution with root privileges.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, this vulnerability could allow remote attackers to execute arbitrary commands with root privileges on affected devices. This could lead to a complete compromise of the device and any data it processes or stores.

Affected industrial routers and networking appliances.
Remote attackers could execute arbitrary commands.
Complete device compromise and data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The command injection vulnerability in the Python configuration function of InHand Networks IR912 and IR915 devices likely impacts teams responsible for operational technology (OT) infrastructure and network security. The first practical step is to identify all deployed instances of these devices, confirm their network exposure and business criticality, and then locate the accountable owner for remediation planning.

Identify affected InHand devices.
Verify network exposure and business impact.
Plan and coordinate remediation actions.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the InHand Networks IR912 and IR915?

These are industrial-grade routers and networking appliances designed to provide reliable connectivity in remote or challenging environments. They are commonly used by organizations to manage data traffic for operational technology (OT) infrastructure, often functioning as a critical gateway between local equipment and broader wide-area networks.

How does CVE-2026-38714 cause a security risk?

This vulnerability is classified as CWE-77, or Improper Neutralization of Special Elements used in a Command. In simple terms, the device's Python configuration function fails to properly filter input, allowing an attacker to inject and execute their own unauthorized system commands with full root-level control over the router.

Do I need to be authenticated to trigger this vulnerability?

No. The vulnerability does not require any prior authentication or local access to the device. An attacker can trigger the issue remotely by sending specifically crafted input data to the vulnerable configuration function. Merely interacting with the device's standard configuration interface, if reachable, is enough to initiate the exploit.

Why is this CVE considered high risk for my network?

Halo Surface Signal indicates that because these routers are designed for edge deployment, their management interfaces are frequently exposed to the internet or wide-area networks. This external accessibility increases the likelihood that a remote attacker could find and compromise an unprotected device, potentially disrupting the network infrastructure it serves.

What should I do if I use these InHand routers?

Begin by creating an inventory of all IR912 and IR915 devices currently in your environment. Once identified, evaluate their specific network placement to determine if they are exposed to external connections and assess their business criticality. Coordinate with your network operations team to prioritize these assets for upcoming security updates or configuration hardening.

References

www.inhand.com/wp-content/uploads/2026/06/InHand-PSA-2026-06_EN.pdf

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.