External risk intelligence

InHand IR912 IR915 Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38717

The affected products are industrial routers and gateways designed to be deployed at the network edge. As networking infrastructure devices, these components are frequently exposed to the internet or wide-area networks to facilitate remote management and connectivity, making the file upload and administration functions highly reachable from the public internet.

Command Injection

Halo Surface Signal: 5 out of 5 — more likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical command injection vulnerability has been identified in InHand Networks devices, specifically in their file upload functionality. This flaw could permit unauthorized remote attackers to execute arbitrary commands with root privileges, posing a significant risk to the integrity and control of these network edge devices.

Attackers can run any command remotely.
Essential for network edge device security.
Confirm relevance; a critical remote execution flaw.

Attack Path

How an attacker could exploit the issue

Attackers can exploit a command injection vulnerability in InHand Networks routers by uploading a specially crafted file through the device's file upload function. This allows them to execute arbitrary commands with root privileges, potentially leading to full system compromise.

Open network access required.
Vulnerable file upload function exploited.
Arbitrary command execution as root.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow remote attackers to execute arbitrary commands with root privileges on affected InHand Networks devices when an attacker crafts malicious input during the file upload process. This could impact the integrity and availability of the device, and potentially any connected systems.

Affected devices could be compromised.
Malicious commands via file upload.
Full device control and data access.

Operational Fix

Recommended remediation, mitigation, and detection steps

The vendor-management and security operations teams should lead the initial response for this vulnerability affecting InHand Networks devices. The first practical step is to identify all deployments of the affected devices, confirm their network exposure and business criticality, and then engage the appropriate accountable owner for remediation planning based on risk.

Identify accountable product owners.
Verify network exposure and business impact.
Plan remediation based on confirmed risk.

Supplementary metadata

CVSS vector

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

Which InHand Networks devices are affected by the recent security advisory?

The vulnerability impacts IR912 and IR915 industrial routers and gateways running version V1.0.0.r20042 or earlier. These devices serve as critical network edge infrastructure, providing connectivity for remote systems and IoT environments, which makes the integrity of their underlying software environment essential for maintaining secure communications.

How is the vulnerability in these InHand devices categorized?

This security flaw is classified as CWE-77, or Improper Neutralization of Special Elements used in a Command. This indicates that the device software does not properly sanitize user-supplied data, allowing an attacker to inject and execute arbitrary system commands instead of simply processing expected file upload data.

How is the command injection vulnerability triggered?

The flaw is triggered through the device's file upload function. By providing a specially crafted input during this process, an attacker can bypass security controls to execute commands with root-level privileges. Note that this does not require physical access to the hardware; the vulnerability is reachable through the network interface.

Why is this command injection vulnerability significant?

According to the Halo Surface Signal, these devices are highly reachable because they are designed for edge deployment and remote management. Given that the base score is 9.8 and the attack vector is network-based, the potential for remote, unauthenticated, and full system compromise makes this a critical security concern for any organization relying on these gateways.

What steps should be taken to manage this risk?

Security and management teams should first perform an inventory to identify all deployed IR912 and IR915 units. Evaluate the network exposure and business criticality of each identified device to determine the priority level. Once the scope is understood, engage the appropriate owners to coordinate remediation efforts and mitigate the threat to the network.

References

www.inhand.com/wp-content/uploads/2026/06/InHand-PSA-2026-06_EN.pdf

Written by Nicholas Merritt

Nicholas Merritt is VP of Security Solutions at Halo Security. With more than 25 years across application security, vulnerability prioritization, and offensive security, he helps teams translate threat data into practical exposure validation and remediation focus. He authors Halo Threat Intelligence CVE advisories using Halo Surface Signal and H/A/L/O context to prioritize internet-facing risk.