How is CVE-2026-38704 exploited?

Network reachability (required): The vulnerable WireGuard VPN feature is exposed over the network, so an attacker must be able to reach the device's network interface to send a malicious request. Authentication (not-required): No credentials of any kind are needed; the injection point is accessible without prior authentication. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user or administrator on the target device. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of the target environment.

What is the impact of CVE-2026-38704?

An attacker gains root-level command execution on the affected router, giving full control over the operating system and all running processes. All data passing through or stored on the device is readable, including VPN configuration secrets, credentials, and traffic logs. An attacker can modify routing rules, firewall policy, VPN tunnels, or any persisted configuration on the device. The device can be crashed, rebooted, or rendered permanently unavailable, disrupting all network traffic it routes.

Back to search

CRITICALCVE-2026-38704Published 2026-05-28Modified 2026-05-28CNA mitre

CVE-2026-38704: A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3

A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302, IR305, IR315, and IR615 industrial router firmware. The flaw is reachable over the network with no authentication required and no user interaction needed, making it trivially exploitable from the internet. Successful exploitation gives an attacker root-level command execution on the affected device. HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available the moment a fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-38704 is ingested from upstream advisory feeds within minutes of publication and matched against all images in customer registries and CI/CD pipelines, including custom-built images that bundle affected InHand Networks firmware versions.

Available

Triage

Triage is available using the CVSS v3.1 score of 9.8 (CRITICAL), with per-environment compliance policy weighting applied so the finding is routed to the appropriate team inbox within each customer organization.

Available

Patch

No fix version has been published upstream for CVE-2026-38704. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; for customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will follow without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable WireGuard VPN feature is exposed over the network, so an attacker must be able to reach the device's network interface to send a malicious request.
AuthenticationNot required
No credentials of any kind are needed; the injection point is accessible without prior authentication.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user or administrator on the target device.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and requires no special conditions, race timing, or knowledge of the target environment.

Blast Radius

An attacker gains root-level command execution on the affected router, giving full control over the operating system and all running processes.
All data passing through or stored on the device is readable, including VPN configuration secrets, credentials, and traffic logs.
An attacker can modify routing rules, firewall policy, VPN tunnels, or any persisted configuration on the device.
The device can be crashed, rebooted, or rendered permanently unavailable, disrupting all network traffic it routes.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-38704 is tracked continuously with no fix currently published upstream. Because no patched version exists, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild the moment InHand Networks releases a fix; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR against affected workloads without manual steps. In the interim, compensating controls worth considering include network-policy isolation to restrict inbound access to affected router management and WireGuard interfaces to known-trusted IP ranges, egress filtering to limit the router's outbound reach in case of compromise, and disabling the WireGuard VPN feature via its configuration flag if the feature is not actively required in the deployment.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

inhand.com