Login Sign Up

CVE-2022-26007

7.2 HIGH
Remote Code Execution

📋 TL;DR

This CVE describes an OS command injection vulnerability in InHand Networks InRouter302's console factory functionality. Attackers can execute arbitrary commands on affected devices by sending specially crafted network requests. Organizations using InRouter302 V3.5.4 devices are affected.

💻 Affected Systems

Products:
  • InHand Networks InRouter302
Versions: V3.5.4
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the console factory functionality specifically; devices must have this feature enabled/accessible.

📦 What is this software?

Ir302 Firmware by Inhandnetworks

View all CVEs affecting Ir302 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full device compromise allowing attacker to install persistent backdoors, pivot to internal networks, or use device as botnet node.

🟠

Likely Case

Unauthenticated remote code execution leading to device takeover, credential theft, and network reconnaissance.

🟢

If Mitigated

Limited impact if devices are behind firewalls with restricted network access and proper segmentation.

🌐 Internet-Facing: HIGH - Directly exploitable via network requests without authentication.
🏢 Internal Only: HIGH - Even internally, any network-accessible device is vulnerable to exploitation.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Exploit details published in Talos report; requires network access to device but no authentication.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: V3.5.45 or later

Vendor Advisory: https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf

Restart Required: Yes

Instructions:

1. Download latest firmware from InHand Networks support portal. 2. Backup current configuration. 3. Upload and install firmware update via web interface. 4. Reboot device. 5. Restore configuration if needed.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to InRouter302 devices using firewall rules

Disable Console Factory

all

Disable console factory functionality if not required

🧯 If You Can't Patch

  • Isolate affected devices in separate VLAN with strict firewall rules
  • Implement network monitoring for suspicious traffic to/from InRouter302 devices

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or CLI; if version is V3.5.4, device is vulnerable.

Check Version:

Check via web interface: System > System Info > Firmware Version

Verify Fix Applied:

Verify firmware version is V3.5.45 or later after patching.

📡 Detection & Monitoring

Log Indicators:

  • Unusual command execution in system logs
  • Multiple failed authentication attempts followed by console factory access

Network Indicators:

  • Unexpected network traffic to console factory ports
  • Outbound connections from InRouter302 to unknown destinations

SIEM Query:

source="inrouter302" AND (event="command_execution" OR event="console_factory_access")

📊 Metadata

CVE ID: CVE-2022-26007
CVSS v3 Score: 7.2 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-77
Published: May 12, 2022
Last Updated: November 21, 2024

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-26007, you might also want to check these:

CVE-2024-48841 10.0

This critical vulnerability in FLXEON software allows remote attackers to execute arbitrary code wit...

Same vulnerability type (CWE-77)
CVE-2025-59818 10.0

This vulnerability allows authenticated attackers to execute arbitrary system commands by manipulati...

Same vulnerability type (CWE-77)
CVE-2024-28354 10.0

This is a critical command injection vulnerability in TRENDnet TEW-827DRU routers that allows remote...

Same vulnerability type (CWE-77)