InHand Networks 関連製品全体の CVE とセキュリティ脆弱性情報を集約し、CVSS、EPSS、公開日、脆弱性情報データを掲載しています。
公開された問題は vendor risk cross-site scripting、パス処理の欠陥, and バッファオーバーフロー に関連することが多く、vendor surface software deployment and vendor surface production workloads の文脈で vendor impact session compromise and vendor impact memory corruption などの暴露リスクを伴う場合があります。
掲載データは公開脆弱性情報とセキュリティ公告に基づき、過去の暴露面と修補優先度の評価に利用できます。
| CVE | 概要 | ソース | CVSS 最大値 | EPSS(%) | 公開 | 更新 |
|---|---|---|---|---|---|---|
| CVE-2026-38718 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a buffer overflow vulnerability in the device registration function. This vulnerability could allow an attacker to cause a denial of service attack on the remote target device. | [email protected] | 7.5 | 0.33% | 2026-06-18 | 2026-06-22 |
| CVE-2026-38717 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the file upload function. The vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | [email protected] | 9.8 | 1.32% | 2026-06-18 | 2026-06-22 |
| CVE-2026-38716 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python application export function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | [email protected] | 9.8 | 1.32% | 2026-06-18 | 2026-06-22 |
| CVE-2026-38715 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the log viewing function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | [email protected] | 9.8 | 1.32% | 2026-06-18 | 2026-06-22 |
| CVE-2026-38714 | InHand Networks IR912 V1.0.0.r20042 and IR915 V1.0.0.r20042 (including earlier versions) were discovered to contain a command injection vulnerability in the Python configuration function. This vulnerability allows remote attackers to execute arbitrary commands as root via a crafted input. | [email protected] | 9.8 | 1.32% | 2026-06-18 | 2026-06-22 |
| CVE-2026-38707 | A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | [email protected] | 9.8 | 1.24% | 2026-05-28 | 2026-06-17 |
| CVE-2026-38704 | A command injection vulnerability exists in the WireGuard VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | [email protected] | 9.8 | 1.27% | 2026-05-28 | 2026-06-17 |
| CVE-2026-38703 | A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | [email protected] | 9.8 | 1.24% | 2026-05-28 | 2026-06-17 |
| CVE-2026-38702 | A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target devices. | [email protected] | 9.8 | 1.24% | 2026-05-28 | 2026-06-17 |
| CVE-2023-22601 | InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-330: Use of Insufficiently Random Values. They do not properly randomize MQTT ClientID parameters. An unauthorized user could calculate this parameter and use it to gather additional information about other InHand devices managed on the same cloud platform. | [email protected] | 10.0 | 0.56% | 2023-01-12 | 2026-06-17 |
| CVE-2023-22600 | InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-284: Improper Access Control. They allow unauthenticated devices to subscribe to MQTT topics on the same network as the device manager. An unauthorized user who knows of an existing topic name could send and receive messages to and from that topic. This includes the ability to send GET/SET configuration commands, reboot commands, and push firmwar | [email protected] | 10.0 | 0.49% | 2023-01-12 | 2026-06-17 |
| CVE-2023-22599 | InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-760: Use of a One-way Hash with a Predictable Salt. They send MQTT credentials in response to HTTP/HTTPS requests from the cloud platform. These credentials are encoded using a hardcoded string into an MD5 hash. This string could be easily calculated by an unauthorized user who spoofed sending an HTTP/HTTPS request to the devices. This could re | [email protected] | 7.0 | 0.32% | 2023-01-12 | 2026-06-17 |
| CVE-2023-22598 | InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). An unauthorized user with privileged access to the local web interface or the cloud account managing the affected devices could push a specially crafted configuration update file to gain root access. This could lead to remote code execution with roo | [email protected] | 7.2 | 1.64% | 2023-01-12 | 2026-06-17 |
| CVE-2023-22597 | InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-319: Cleartext Transmission of Sensitive Information. They use an unsecured channel to communicate with the cloud platform by default. An unauthorized user could intercept this communication and steal sensitive information such as configuration information and MQTT credentials; this could allow MQTT command injection. | [email protected] | 6.5 | 0.51% | 2023-01-12 | 2026-06-17 |
| CVE-2022-30543 | A leftover debug code vulnerability exists in the console infct functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to execution of privileged operations. An attacker can send a sequence of requests to trigger this vulnerability. | [email protected] | 8.8 | 0.85% | 2022-11-09 | 2026-06-17 |
| CVE-2022-29888 | A leftover debug code vulnerability exists in the httpd port 4444 upload.cgi functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted HTTP request can lead to arbitrary file deletion. An attacker can send an HTTP request to trigger this vulnerability. | [email protected] | 8.1 | 1.54% | 2022-11-09 | 2026-06-17 |
| CVE-2022-29481 | A leftover debug code vulnerability exists in the console nvram functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to disabling security features. An attacker can send a sequence of requests to trigger this vulnerability. | [email protected] | 6.5 | 0.77% | 2022-11-09 | 2026-06-17 |
| CVE-2022-28689 | A leftover debug code vulnerability exists in the console support functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability. | [email protected] | 8.8 | 0.91% | 2022-11-09 | 2026-06-17 |
| CVE-2022-26023 | A leftover debug code vulnerability exists in the console verify functionality of InHand Networks InRouter302 V3.5.45. A specially-crafted series of network requests can lead to disabling security features. An attacker can send a sequence of requests to trigger this vulnerability. | [email protected] | 6.5 | 0.77% | 2022-11-09 | 2026-06-17 |
| CVE-2022-25932 | The firmware of InHand Networks InRouter302 V3.5.45 introduces fixes for TALOS-2022-1472 and TALOS-2022-1474. The fixes are incomplete. An attacker can still perform, respectively, a privilege escalation and an information disclosure vulnerability. | [email protected] | 9.8 | 0.64% | 2022-11-09 | 2026-06-17 |