How is CVE-2026-38703 exploited?

Network reachability (required): The vulnerable ZeroTier VPN feature is exposed over the network, meaning an attacker must be able to reach the device across the internet or an accessible network segment. Authentication (not-required): No credentials or prior account access are needed; the vulnerability is exploitable by any unauthenticated remote attacker. Victim interaction (not-required): The attacker does not need any action from a user or operator on the target device to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

What is the impact of CVE-2026-38703?

Attacker gains root-level command execution on the affected device, allowing full control of the operating system and all running processes. All stored credentials, configuration secrets, and private keys on the device are readable by the attacker. The attacker can modify firmware configuration, routing rules, and VPN tunnel settings, disrupting or redirecting network traffic. The device can be crashed, rebooted, or rendered permanently inaccessible, causing a full loss of connectivity for any network segment it serves.

Back to search

CRITICALCVE-2026-38703Published 2026-05-28Modified 2026-05-28CNA mitre

CVE-2026-38703: A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3

A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302, IR305, IR315, and IR615 firmware. The flaw is reachable over the network with no authentication and no victim interaction required, making it trivially exploitable by any remote attacker. Successful exploitation grants the attacker root-level command execution on the affected device. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-38703 is available across every HarborGuard environment. The CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images derived from affected InHand Networks firmware versions.

Available

Triage

Triage is available with the full CVSS 3.1 score of 9.8 (Critical), weighted against each customer environment's compliance policy to determine urgency and severity tier. HarborGuard routes findings to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

No fix version has been published by InHand Networks for this vulnerability. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable ZeroTier VPN feature is exposed over the network, meaning an attacker must be able to reach the device across the internet or an accessible network segment.
AuthenticationNot required
No credentials or prior account access are needed; the vulnerability is exploitable by any unauthenticated remote attacker.
Victim interactionNot required
The attacker does not need any action from a user or operator on the target device to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or environmental prerequisites.

Blast Radius

Attacker gains root-level command execution on the affected device, allowing full control of the operating system and all running processes.
All stored credentials, configuration secrets, and private keys on the device are readable by the attacker.
The attacker can modify firmware configuration, routing rules, and VPN tunnel settings, disrupting or redirecting network traffic.
The device can be crashed, rebooted, or rendered permanently inaccessible, causing a full loss of connectivity for any network segment it serves.

How HarborGuard Handles This

Available on HarborGuard: continuous monitoring of the CVE-2026-38703 advisory across all customer environments. Because no upstream fix currently exists, HarborGuard will surface affected images as Critical findings and re-evaluate patch availability on every ingest cycle. In the absence of a vendor patch, customers are advised to consider network-policy isolation rules that restrict access to the ZeroTier VPN management interface to known trusted IP ranges, apply egress filtering at the perimeter to limit lateral movement from a compromised device, and evaluate whether the ZeroTier feature can be disabled via a firmware feature flag until a fix is available. The moment InHand Networks publishes a patched firmware version, HarborGuard will make a rebuilt image available; for customers with auto-remediation enabled, this will trigger an automated rebuild, regression test run, and a PR opened against affected workloads.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

inhand.com