How is CVE-2026-38707 exploited?

Network reachability (required): The vulnerable IPSec VPN feature is exposed over the network, meaning an attacker must be able to reach the device's network interface to deliver a malicious payload. Authentication (not-required): No credentials or prior account access are needed; the injection point is accessible to unauthenticated requests. Victim interaction (not-required): Exploitation is fully attacker-driven and does not require any action from a user or administrator on the target device. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental prerequisites.

What is the impact of CVE-2026-38707?

Attacker gains a root shell on the target device, with full control over all processes and files. All stored credentials, VPN configuration secrets, and network traffic passing through the device are readable. Device configuration can be modified, including routing tables, firewall rules, and VPN tunnel definitions. The device can be crashed, rebooted, or enrolled into a botnet, disrupting all traffic it handles.

Back to search

CRITICALCVE-2026-38707Published 2026-05-28Modified 2026-05-28CNA mitre

CVE-2026-38707: A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3

A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.

HarborGuard Analysis

HarborGuard analysis

Synopsis

A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302, IR305, IR315, and IR615 firmware (IR302 V3.5.108, IR305/IR315/IR615 V1.0.118, and earlier). The flaw is reachable over the network with no authentication required and no user interaction needed, making it exploitable by any attacker who can reach the affected device. Successful exploitation gives the attacker root-level command execution on the target device, enabling full system compromise including data access, configuration tampering, and service disruption. No fix version has been published; HarborGuard tracks the advisory and will surface a patched rebuild as soon as upstream ships a fix.

HarborGuard Coverage

Detection

Detection of CVE-2026-38707 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected firmware versions. Any image containing an affected InHand Networks firmware package is flagged automatically without manual intervention.

Available

Triage

Triage is available with a CVSS v3.1 score of 9.8 (Critical), surfaced alongside per-environment compliance policy weighting so teams with stricter network-device policies see elevated priority routing. Findings are dispatched to the appropriate team inbox within each customer org based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. In the interim, compensating controls such as network-policy isolation of affected devices and egress filtering are surfaced as recommended actions within the findings detail view.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable IPSec VPN feature is exposed over the network, meaning an attacker must be able to reach the device's network interface to deliver a malicious payload.
AuthenticationNot required
No credentials or prior account access are needed; the injection point is accessible to unauthenticated requests.
Victim interactionNot required
Exploitation is fully attacker-driven and does not require any action from a user or administrator on the target device.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental prerequisites.

Blast Radius

Attacker gains a root shell on the target device, with full control over all processes and files.
All stored credentials, VPN configuration secrets, and network traffic passing through the device are readable.
Device configuration can be modified, including routing tables, firewall rules, and VPN tunnel definitions.
The device can be crashed, rebooted, or enrolled into a botnet, disrupting all traffic it handles.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-38707 is active and matches against any image in customer registries that packages InHand Networks IR302, IR305, IR315, or IR615 firmware at the affected versions. Because no upstream patch exists yet, auto-remediation cannot produce a rebuilt image at this time. HarborGuard re-checks the advisory on every ingest cycle and will automatically trigger a patched-image rebuild and, for customers with auto-remediation enabled, open a regression-tested PR against affected workloads the moment a fix version is published. While awaiting a patch, the findings detail view surfaces recommended compensating controls including isolating affected devices behind strict network policies, blocking unsolicited inbound access to the IPSec VPN interface, and applying egress filtering to limit post-compromise lateral movement.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

inhand.com