InHand Networks InRouter302 OS Command Injection Vulnerability Key Information CVE Number: CVE-2022-26042 CVSSv3 Score: 9.9 - CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H Summary An OS command injection vulnerability exists in the daretools binary functionality of InHand Networks InRouter302 V3.5.4. A specially-crafted network request can lead to arbitrary command execution. An attacker can send a sequence of requests to trigger this vulnerability. Details Affected Product: InHand Networks InRouter302 V3.5.4 Product URL: https://www.inhandnetworks.com/products/inrouter300.html Vulnerability Description The InRouter302 is an industrial LTE router with remote management functionalities. It offers telnet and sshd services. A low-privileged user can login and use a command called , which is not listed among the available functionalities. This functionality will request a password and, based on the value provided, perform different actions, including executing arbitrary code. Code Snippet Analysis The function checks if the provided password matches a hard-coded string. If so, it executes the binary. The reaches a loop, gets a line from , and performs different operations based on the value. If the line starts with or , it executes the function. Exploit Proof of Concept Using the command and providing the correct password, an attacker can execute arbitrary code: Vendor Response The vendor has updated their website and uploaded the latest firmware. Advisories are available at: https://inhandnetworks.com/product-security-advisories.html https://www.inhandnetworks.com/products/inrouter302.html#link4 https://www.inhandnetworks.com/upload/attachment/202205/10/InHand-PSA-2022-01.pdf Timeline 2022-04-06: Vendor Disclosure 2022-05-10: Public Release 2022-05-10: Vendor Patch Release Credit Discovered by Francesco Benvenuto of Cisco Talos.