Several serious vulnerabilities discovered by researchers in industrial routers made by InHand Networks could expose many organizations to remote attacks, and patches do not appear to be available.
The flaws were discovered nearly one year ago by researchers at industrial cybersecurity firm OTORIO in IR615 LTE routers made by industrial IoT solutions provider InHand Networks. The company has offices in China, the U.S. and Germany, and its products are used all around the world. InHand says its customers include Siemens, GE Healthcare, Coca Cola, Philips Healthcare and other major companies.
According to an advisory published last week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA), OTORIO researchers discovered a total of 13 vulnerabilities in the IR615 router.
The list includes critical cross-site request forgery (CSRF), remote code execution, command injection, and weak password policy issues, as well as high-severity improper authorization and cross-site scripting (XSS) vulnerabilities.
CISA warned that malicious actors could exploit the vulnerabilities to take complete control of affected devices and intercept communications in an effort to steal sensitive information.
OTORIO told SecurityWeek that it has identified thousands of internet-exposed InHand routers that could be vulnerable to attacks, but the company noted that exploitation from the internet requires authentication to the router’s web management portal. An attacker could authenticate to the device using default credentials or by leveraging brute-force attacks to obtain login credentials. Brute-force attacks are made easy by the router’s weak password policy and a flaw that can be used to enumerate all valid user accounts.
The cybersecurity firm warned that an attacker could leverage the vulnerabilities to infiltrate an organization. From the InHand device, the attacker could move to other industrial systems within the victim’s network.
“The attacker may abuse the Remote Code Execution vulnerability to get a first foothold on the device via running CLI commands; implant a first backdoor on the device as a persistence stage; and start scanning the internal organization network in order to elevate the attacker privileges and move on to sensitive assets on the network,” explained Hay Mizrachi, penetration tester at OTORIO. “The final objective is to achieve Domain Admin privileges on the organization. Of course, if there are additional sensitive networks such as OT networks, the attacker can try to get a foothold and disrupt the day-to-day functioning of the product line floor to cause additional damage and financial costs.”
OTORIO reported its findings to InHand Networks, through CISA, in November 2020. However, CISA said in its advisory that the vendor “has not responded to requests to work with CISA to mitigate these vulnerabilities.” CISA has provided some generic mitigations to help impacted organizations reduce the risk of exploitation.
SecurityWeek has reached out to InHand Networks for comment and will update this article if the company responds.
UPDATE 06/30/2022: InHand has informed SecurityWeek that an advisory addressing the vulnerabilities has been published. An update that should patch the flaws has been released.
Related: Cisco Patches Dozen Vulnerabilities in Industrial Routers
Related: Several Vulnerabilities Expose Phoenix Contact Industrial 4G Routers to Attacks

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Intel Boasts Attack Surface Reduction With New 13th Gen Core vPro Platform
- Dole Says Employee Information Compromised in Ransomware Attack
- High-Severity Vulnerabilities Found in WellinTech Industrial Data Historian
- CISA Expands Cybersecurity Committee, Updates Baseline Security Goals
- Exploitation of 55 Zero-Day Vulnerabilities Came to Light in 2022: Mandiant
- Organizations Notified of Remotely Exploitable Vulnerabilities in Aveva HMI, SCADA Products
- Waterfall Security, TXOne Networks Launch New OT Security Appliances
- Hitachi Energy Blames Data Breach on Zero-Day as Ransomware Gang Threatens Firm
Latest News
- Intel Co-founder, Philanthropist Gordon Moore Dies at 94
- Google Leads $16 Million Investment in Dope.security
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
