What is CVE-2026-38703?

CVE-2026-38703 is a critical-severity vulnerability in Inhandnetworks Ir302, classified under Command Injection. CVSS score: 9.8/10. Published 2026-05-28.

How severe is CVE-2026-38703?

Critical severity. CVSS v3 base score is 9.8 out of 10.

RCE in Inhandnetworks Ir302

CVE-2026-38703

A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vu…

Vulnerability class: Command Injection (OS Command Injection)

EPSS: 0.002 (47.8th percentile) — read the EPSS interpretation.

CVSS v3 metric

CVSS v3 base score 9.8 (Critical). Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H.

Affected products

Inhandnetworks Ir302
Inhandnetworks Ir302_firmware
Inhandnetworks Ir305
Inhandnetworks Ir305_firmware
Inhandnetworks Ir315
Inhandnetworks Ir315_firmware
Inhandnetworks Ir615
Inhandnetworks Ir615_firmware
N/a — versions n/a

Weakness classification (CWE)

CWE-77 — Command Injection

References

cve@mitre.org (Vendor Advisory)

Frequently asked questions

What is CVE-2026-38703?: CVE-2026-38703 is a critical-severity vulnerability in Inhandnetworks Ir302, classified under Command Injection. CVSS score: 9.8/10. Published 2026-05-28.
How severe is CVE-2026-38703?: Critical severity. CVSS v3 base score is 9.8 out of 10.