How is CVE-2026-38717 exploited?

Network reachability (required): The vulnerable file upload function is exposed over the network, so an attacker must be able to reach the device's interface across the internet or an internal network segment. Authentication (not-required): No credentials are needed; the command injection is reachable by any unauthenticated caller. Victim interaction (not-required): The attack is fully automated and requires no action from any user of the device. Attack complexity (info): Exploitation is reliable and condition-free; the attacker only needs to send a crafted file upload request with no dependency on race conditions or memory layout.

What is the impact of CVE-2026-38717?

A successful attacker executes arbitrary OS commands as root, gaining complete administrative control of the IR912 or IR915 device. Confidential data stored on or transmitted through the device (credentials, VPN keys, routing tables, session tokens) is readable in full. The attacker can modify device configuration, firmware, or routing rules, redirecting or intercepting network traffic passing through the device. The device can be crashed or rendered permanently unavailable, disrupting any network services or connected OT/industrial systems that depend on it.

Back to search

CRITICALCVE-2026-38717Published 2026-06-18Modified 2026-06-18CNA mitre

CVE-2026-38717: InHand Networks IR912 V1

InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in InHand Networks IR912 and IR915 firmware (version V1.0.0.r20042 and earlier) allows a remote attacker with no authentication to execute arbitrary operating system commands as root via a crafted file upload. The vulnerability is reachable over the network and requires no user interaction, making it trivially weaponizable. Successful exploitation gives the attacker full root-level control of the device, enabling data theft, persistent backdoor installation, or complete service disruption. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment upstream publishes a fix.

HarborGuard Coverage

Detection

Detection for CVE-2026-38717 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all container images in customer registries and CI/CD pipelines, including custom-built images that embed this firmware or its components.

Available

Triage

Triage is available with a CVSS 3.1 score of 9.8 (Critical), weighted against each environment's compliance policy to determine urgency and routed automatically to the appropriate team inbox within each customer organization.

Available

Patch

No fix version has been published upstream; HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment InHand Networks releases a corrected firmware build. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once the upstream fix is confirmed.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable file upload function is exposed over the network, so an attacker must be able to reach the device's interface across the internet or an internal network segment.
AuthenticationNot required
No credentials are needed; the command injection is reachable by any unauthenticated caller.
Victim interactionNot required
The attack is fully automated and requires no action from any user of the device.
Attack complexityDetail
Exploitation is reliable and condition-free; the attacker only needs to send a crafted file upload request with no dependency on race conditions or memory layout.

Blast Radius

A successful attacker executes arbitrary OS commands as root, gaining complete administrative control of the IR912 or IR915 device.
Confidential data stored on or transmitted through the device (credentials, VPN keys, routing tables, session tokens) is readable in full.
The attacker can modify device configuration, firmware, or routing rules, redirecting or intercepting network traffic passing through the device.
The device can be crashed or rendered permanently unavailable, disrupting any network services or connected OT/industrial systems that depend on it.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical command-injection vulnerability is active across all scanning environments, matching images against CVE-2026-38717 within minutes of ingest. Because no upstream fix has been published, HarborGuard monitors the InHand Networks advisory on every ingest cycle and will trigger a patched-image rebuild automatically as soon as a corrected firmware build is released. For customers with auto-remediation enabled, that moment will produce a rebuild, a regression test run, and a PR opened against affected workloads with no manual steps required. In the interim, compensating controls worth evaluating include strict network-policy isolation to block unauthenticated external access to the device management interface, egress filtering to limit outbound connections from the device, and disabling the file upload function via a feature flag or ACL if the firmware supports it. Where compliance policy permits, HarborGuard can surface these compensating-control recommendations directly in the triage workflow for each affected environment.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

inhand.com

Metrics

Get notified