CVE-2026-38703
Last modified
CVE-2026-38703 is a critical-severity vulnerability rated 9.8/10 on the CVSS scale. A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.. EPSS estimates a 1.24% chance of exploitation in the next 30 days.
Description
A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Inhandnetworks | Ir315 Firmware | < 1.0.121 |
| Inhandnetworks | Ir302 Firmware | < 3.5.112 |
| Inhandnetworks | Ir615 Firmware | < 1.0.121 |
| Inhandnetworks | Ir305 Firmware | < 1.0.121 |
References
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-38703?
How severe is CVE-2026-38703?
How do I fix CVE-2026-38703?
Are you affected by CVE-2026-38703?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST