CVE-2026-38714: InHand Networks IR912 V1
InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.
Metrics
- CVSS v3.1
- 9.8
- Severity
- CRITICAL
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
Command injection in InHand Networks IR912 and IR915 routers (firmware V1.0.0.r20042 and earlier) allows a remote, unauthenticated attacker to execute arbitrary operating system commands as root via a crafted input to the Python configuration function. The vulnerability is reachable over the network with no authentication or user interaction required, giving an attacker full control of the device, including read and write access to all data and the ability to disrupt service. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle InHand Networks firmware or related components.
AvailableHarborGuard scores this CVE at 9.8 CRITICAL using the CVSS v3.1 vector and weights it against each environment's compliance policy, then routes the finding to the appropriate team inbox within the customer org.
AvailableNo fix version has been published for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a fix; customers with auto-remediation enabled will receive a rebuild, regression-test run, and a PR opened against affected workloads without manual intervention.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable Python configuration function is exposed over the network, so an attacker must be able to reach the device's network interface to send a crafted request.
- AuthenticationNot required
No account or credentials of any privilege level are needed to trigger the command injection.
- Victim interactionNot required
The attack is fully remote and automated; no user on the target device needs to take any action.
- Attack complexityDetail
Exploitation is reliable and condition-free, with no race conditions or special environmental prerequisites required.
Blast Radius
- A successful attacker executes arbitrary OS commands as root, gaining complete control over the device's operating system.
- All data stored on or transmitted through the device is readable by the attacker, including credentials, configuration secrets, and network traffic.
- The attacker can modify any persisted configuration, routing rules, or firmware state on the device.
- The attacker can crash or restart the device at will, disrupting all network traffic and services it routes.
How HarborGuard Handles This
Available on HarborGuard: this CVE is flagged CRITICAL (9.8) with no upstream fix, so the platform monitors the advisory on every ingest cycle and surfaces the finding immediately for any image that includes affected InHand Networks firmware. While no patched rebuild can be generated yet, compensating controls can be applied in the interim: network-policy isolation to restrict inbound access to the device management interface, egress filtering to limit lateral movement if the device is compromised, and feature-flag or ACL gating on the Python configuration endpoint where the device firmware supports it. The moment InHand Networks publishes a fix, HarborGuard will make a patched-image rebuild available; for customers with auto-remediation enabled, that triggers a rebuild, regression-test run, and a PR opened against affected workloads automatically.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H