External risk intelligence

InHand Router Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38715

The affected products are InHand Networks industrial routers. Such devices are typically deployed as internet-facing gateways or edge devices to provide network connectivity, making their management interfaces and services inherently exposed to the public internet by design.

Command Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in specific InHand Networks industrial routers, specifically in their log viewing function. This issue allows remote attackers to execute unauthorized commands with the highest system privileges. The main concern is confirming whether our environment uses these affected devices, as their typical deployment as internet-facing gateways could increase exposure.

Attackers can run commands on routers.
Industrial routers are often internet-facing.
Confirm use of affected devices and assess risk.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending specially crafted input to the log viewing function of an affected InHand Networks device. This function, accessible over the network without any authentication, is susceptible to command injection. Successfully exploiting this flaw allows an attacker to execute arbitrary commands with root privileges, potentially leading to complete system compromise.

Network exposure without authentication required.
Crafted input to log viewing function.
Arbitrary command execution as root.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated remote attacker to execute arbitrary commands with root privileges on the affected devices. This is possible when the log viewing function is accessible and can be exploited through crafted input, potentially leading to a complete compromise of the device.

System commands could be executed as root.
Arbitrary commands could be injected remotely.
Device could be fully compromised.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-World Ownership

This command injection vulnerability in InHand Networks industrial routers likely requires collaboration between infrastructure or platform teams responsible for managing network devices and security teams for initial exposure assessment. The first practical step involves identifying all deployed instances of the affected devices, confirming their network reachability and business criticality, and then locating the accountable asset owners to prioritize remediation efforts.

Infrastructure and security teams own this.
Verify external reachability and critical assets.
Plan remediation based on identified risk.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the InHand Networks IR912 and IR915?

These are industrial-grade cellular routers used to provide reliable network connectivity for remote equipment and edge computing. They are commonly deployed in infrastructure environments where they act as gateways to bridge local devices with wide-area networks.

What does command injection mean for CVE-2026-38715?

It refers to CWE-77, a weakness where a program improperly neutralizes special characters in user-supplied input. In this case, the router's log viewing function fails to filter input, allowing an attacker to insert and execute their own unauthorized system commands with root-level access.

Do I need to be logged into the router to trigger this bug?

No. The vulnerability exists in the log viewing function, which can be reached over the network without any authentication. It does not require a valid user account, but it does require the ability to send crafted input to that specific network service.

Is my device at risk if it is not internet-facing?

Halo Surface Signal indicates these routers are typically designed as internet-facing gateways, which makes them highly accessible. However, if your device is isolated within an internal network and cannot be reached by external traffic, your risk profile is significantly lower.

How should I respond to this vulnerability?

Start by identifying all deployed InHand IR912 and IR915 units in your network. Once you have a list, verify if they are reachable from the internet or critical network segments. Coordinate with the infrastructure teams managing these routers to prioritize them for official updates or security policy adjustments.

References

www.inhand.com/wp-content/uploads/2026/06/InHand-PSA-2026-06_EN.pdf

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.