External risk intelligence

InHand Router Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38716

The affected products are industrial cellular routers (IR912 and IR915) designed for remote connectivity and networking. Such devices are typically deployed at the edge of a network to provide internet access or remote management, making their management interfaces or features frequently reachable via the public internet in common deployment scenarios.

Command Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

This critical vulnerability impacts InHand industrial routers, potentially allowing remote attackers to execute commands with full system privileges. The concern stems from the widespread use of these devices in critical infrastructure and industrial environments, where unauthorized access could have significant operational consequences.

A flaw lets attackers run commands remotely.
It affects critical infrastructure connectivity devices.
Confirm relevance and exposure of InHand routers.

Attack Path

How an attacker could exploit the issue

Attackers can exploit a command injection vulnerability in InHand Networks' Python application export function to gain root-level access. This vulnerability is accessible remotely, requiring no authentication or user interaction, and can lead to the execution of arbitrary commands on the affected devices.

No authentication required for access.
Crafted input triggers command execution.
Remote command execution as root.

Live Threat

Current exploitation, exposure, and threat context

A command injection vulnerability in the Python application export function could allow an unauthenticated remote attacker to execute arbitrary commands with root privileges on affected InHand Networks devices. This could impact the integrity and availability of the affected devices and any services they manage.

Device command execution and control.
Via crafted input over the network.
Complete system compromise.

Operational Fix

Recommended remediation, mitigation, and detection steps

To address this command injection vulnerability, the platform or infrastructure teams managing InHand Networks routers are likely responsible. The first practical step is to identify all instances of the affected devices within your environment, determine their network exposure, and confirm their business criticality. Once ownership and impact are clear, a remediation plan can be developed, potentially involving vendor coordination or immediate action if business-critical and externally accessible.

Platform or infrastructure teams own remediation.
Verify device exposure and criticality first.
Plan remediation based on identified risk.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What are InHand IR912 and IR915 routers?

These are industrial cellular routers manufactured by InHand Networks. They are designed to provide remote connectivity and networking capabilities, often serving as gateways that connect local industrial equipment or remote sites to a wider network, including the internet.

What is the command injection flaw in CVE-2026-38716?

This vulnerability is classified as CWE-77, which involves improper neutralization of special elements used in a command. In plain English, the software does not properly filter the data it receives. By sending specifically crafted input to the Python application export function, an attacker can trick the system into running unauthorized commands with root-level privileges.

How can an attacker trigger this vulnerability?

An attacker can trigger this by sending specially crafted input to the vulnerable Python application export function. This process does not require any authentication or user interaction to succeed. It is important to note that actions unrelated to this specific export function do not trigger the flaw.

Do I need to worry if my InHand router is internal?

Halo Surface Signal indicates that these routers are often deployed at the edge of a network for internet access or remote management, making them frequently reachable from the public internet. While external devices are at higher risk, you should verify the network placement of your specific units to determine if they are reachable from outside your protected environment.

What should I do first to manage this risk?

Your first step is to locate all instances of InHand IR912 and IR915 routers within your infrastructure. Once identified, evaluate their specific network connectivity and business importance. This information helps you prioritize which devices require immediate attention and supports the development of a structured remediation plan.

References

www.inhand.com/wp-content/uploads/2026/06/InHand-PSA-2026-06_EN.pdf

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.