How is CVE-2026-38716 exploited?

Network reachability (required): The vulnerable export function is exposed over the network, so an attacker must be able to reach the device's network interface to send a crafted request. Authentication (not-required): No credentials or account of any kind are needed; the injection endpoint is accessible without authentication. Victim interaction (not-required): The attack is fully automated and does not require any user on the target device to click, open, or approve anything. Attack complexity (info): Exploitation is reliable and condition-free: no race conditions, memory layout knowledge, or special environmental factors are required.

What is the impact of CVE-2026-38716?

Attacker executes arbitrary operating system commands as root, gaining complete control over the device's firmware and configuration. All data stored on or transmitted through the device is readable, including network credentials, VPN keys, and routing tables. An attacker can modify device configuration, redirect or intercept network traffic, and persist backdoors across reboots. The device can be crashed or rendered unresponsive, disrupting the industrial or operational network segment it serves.

Back to search

CRITICALCVE-2026-38716Published 2026-06-18Modified 2026-06-18CNA mitre

CVE-2026-38716: InHand Networks IR912 V1

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in InHand Networks IR912 and IR915 industrial routers (firmware V1.0.0.r20042 and earlier) allows a remote attacker with no authentication to execute arbitrary operating system commands as root via a crafted input to the Python application export function. The vulnerability is reachable over the network without any login credentials or victim interaction, making it trivially exploitable from the internet or any network path to the device. Successful exploitation gives the attacker full root-level control over the affected device. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images in registries and CI/CD pipelines, including custom-built images derived from affected InHand firmware bases.

Available

Triage

HarborGuard scores this finding at CVSS 9.8 Critical and is capable of weighting it further against each environment's compliance policy, then routing the alert to the appropriate team inbox within the customer organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment InHand Networks releases a remediated firmware version. In the meantime, customers can apply compensating controls through HarborGuard's network-policy recommendations to isolate affected devices from untrusted network paths.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable export function is exposed over the network, so an attacker must be able to reach the device's network interface to send a crafted request.
AuthenticationNot required
No credentials or account of any kind are needed; the injection endpoint is accessible without authentication.
Victim interactionNot required
The attack is fully automated and does not require any user on the target device to click, open, or approve anything.
Attack complexityDetail
Exploitation is reliable and condition-free: no race conditions, memory layout knowledge, or special environmental factors are required.

Blast Radius

Attacker executes arbitrary operating system commands as root, gaining complete control over the device's firmware and configuration.
All data stored on or transmitted through the device is readable, including network credentials, VPN keys, and routing tables.
An attacker can modify device configuration, redirect or intercept network traffic, and persist backdoors across reboots.
The device can be crashed or rendered unresponsive, disrupting the industrial or operational network segment it serves.

How HarborGuard Handles This

Available on HarborGuard: this CVE is matched against customer images within minutes of publication, scored at CVSS 9.8 Critical, and surfaced through each environment's compliance-policy routing. Because InHand Networks has not yet published a patched firmware version, no automatic rebuild is available today. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available, with auto-remediation customers receiving a regression-test run and a PR opened against affected workloads, as soon as an upstream fix is released. While awaiting a patch, HarborGuard can surface network-policy isolation recommendations: restricting inbound access to the device's export endpoint to trusted management subnets, applying egress filtering to limit post-compromise lateral movement, and flagging any image that includes affected firmware versions for priority review in the deployment pipeline.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

inhand.com

Metrics

Get notified