A command injection vulnerability exists in the IPSec VPN feature of InHand Networks IR302 firmware V3.5.108, IR305 firmware V1.0.118, IR315 firmware V1.0.118, …

A critical command injection vulnerability has been discovered in the IPSec VPN feature of multiple InHand Networks router models including IR302, IR305, IR315, and IR615. The vulnerability affects firmware versions V3.5.108 for IR302 and V1.0.118 for other models, as well as all earlier versions. Successful exploitation allows attackers to gain ROOT privileges on remote target devices. This represents a significant security risk for network infrastructure as it provides complete administrative control to malicious actors. The vulnerability is located in a commonly used VPN feature, potentially affecting many deployed devices.