Security Experts:

Connect with us

Hi, what are you looking for?



Critical Vulnerabilities Provide Root Access to InHand Industrial Routers

A total of 17 vulnerabilities have been found in a wireless industrial router made by InHand Networks, including flaws that can be chained to gain root access by getting a user to click on a malicious link.

A total of 17 vulnerabilities have been found in a wireless industrial router made by InHand Networks, including flaws that can be chained to gain root access by getting a user to click on a malicious link.

The flaws affect the InRouter 302 compact industrial LTE router, which is designed for commercial and industrial environments, including for applications in the hospitality, financial, automotive, utilities, retail, public safety, and energy sectors. Some of the world’s largest organizations use InHand products.

InHand router vulnerabilitiesThe security holes, a vast majority of which have been assigned a “critical” or “high severity” rating, were discovered by researchers at Cisco’s Talos threat intelligence and research unit. They can lead to arbitrary file uploads, code execution, privilege escalation, OS command injection, and unauthorized firmware updates.

The weaknesses affect IR302 version 3.5.37 and prior, and they have been patched with the release of version 3.5.45.

Some of the 17 vulnerabilities discovered by Talos researchers in the InRouter 302 product can be chained to gain root access to the device. The router can be managed through a web interface or a console that can be accessed via telnet or SSH, but users should not have access to the underlying Linux system.

A theoretical attack scenario described by Talos starts with the exploitation of a cross-site scripting (XSS) vulnerability that allows the attacker to execute arbitrary JavaScript code and exfiltrate the session cookie of a user who clicks on a specially crafted link that triggers the exploit.

Regardless of whether the stolen cookie gives them privileged or non-privileged access, the attacker can exploit one of three vulnerabilities to obtain root access. This includes abusing a hidden command that spawns a root shell, and uploading a specially crafted file to achieve remote code execution.

In Talos’ attack scenario, if the attacker obtains non-privileged access following the exploitation of the XSS vulnerability, they can use one of two vulnerabilities that allow a user with lower privileges to escalate permissions, including by changing or obtaining a privileged user’s password.

Learn more about vulnerabilities in industrial systems at 

SecurityWeek’s 2022 ICS Cyber Security Conference 

If the XSS attack helps the attacker obtain privileged access, they have at least two vulnerabilities at their disposal that they can exploit to gain root access to the Linux operating system running on the router.

“Once root access to the router is obtained any number of effects can be achieved including, but not limited to, injecting, dropping, or inspecting packets, DNS poisoning, or further pivoting into the network,” Talos explained.

Talos published a blog post and advisories describing its findings on Thursday and InHand released its own advisory on May 10.

InHand seems to be improving its vulnerability handling process. In October 2021, the US Cybersecurity and Infrastructure Security Agency (CISA) published an advisory to inform organizations about 13 vulnerabilities discovered in InHand’s IR615 router nearly one year earlier.

The flaws exposed many companies to remote attacks, but they appeared to be unpatched at the time of disclosure, with the vendor only releasing its own advisory and announcing fixes a few weeks later.

Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers

Related: Several Vulnerabilities Expose Phoenix Contact Industrial 4G Routers to Attacks

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.