CVE-2026-38704

EUVD-2026-33238
A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices.
Command Injection
ProviderTypeBase ScoreAtk. VectorAtk. ComplexityPriv. RequiredVector
NISTPrimary
9.8 CRITICAL
NETWORK
LOW
NONE
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score
CVSS 3.x
EPSS Score
Percentile: 66%
Affected Products (NVD)
VendorProductVersion
inhandnetworksir315_firmware
𝑥
< 1.0.121
inhandnetworksir302_firmware
𝑥
< 3.5.112
inhandnetworksir615_firmware
𝑥
< 1.0.121
inhandnetworksir305_firmware
𝑥
< 1.0.121
𝑥
= Vulnerable software versions