A command injection vulnerability exists in the ZeroTier VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.11…

A command injection vulnerability has been discovered in the ZeroTier VPN feature of multiple InHand Networks industrial router models including IR302, IR305, IR315, and IR615. The vulnerability affects specific firmware versions and allows attackers to gain ROOT privileges on remote target devices. This represents a critical security flaw in industrial networking equipment that could provide attackers with complete system control. The vulnerability impacts the ZeroTier VPN functionality specifically, which is commonly used for secure remote access in industrial environments. Given the ROOT privilege escalation capability and remote exploitation potential, this poses significant risks to operational technology networks.