Cyber Posture

CVE-2026-38702

CriticalRCE
Microsoft: not affectedMSmacOS: not affectedMacLinux: not affectedLnxMobile: not affectedMobNetwork: not affectedNetApplication: not affectedAppOther: affectedOth

Published: 28 May 2026

Published
28 May 2026
Modified
28 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score N/A
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-38702 is a critical-severity Command Injection (CWE-77) vulnerability in Inhand (inferred from references). Its CVSS base score is 9.8 (Critical).

Operationally, it is not currently listed in the CISA KEV catalog.

NVD Description

A command injection vulnerability exists in the Admin Access feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, IR615 firmware V1.0.118, and earlier versions. Attackers can exploit this vulnerability to obtain ROOT privileges on remote target…

more

devices.

Deeper analysisAI

Automated synthesis unavailable for this CVE.

Details

CWE(s)
CWE-77
OWASP Top 10 Web 2025
A05:2025

Affected Products

Inhand
inferred from references and description; NVD did not file a CPE for this CVE
Regulatory context (EU CRA / NIS2 / DORA / UK NIS Regulations)

EU Cyber Resilience Act — coordinated disclosure

Critical and high-severity vulnerabilities in products with digital elements may trigger coordinated-disclosure obligations under the EU Cyber Resilience Act (CRA, Regulation 2024/2847). Manufacturers placing products on the EU market must notify ENISA and the relevant CSIRTs without undue delay once active exploitation is known.

References