A critical command injection vulnerability in the IPSec VPN configuration of InHand Networks industrial gateways allows remote attackers to gain full administrative control.

This is a command injection vulnerability located within the IPSec VPN functionality. The application fails to sanitize inputs during configuration, enabling an unauthenticated attacker to inject malicious commands that execute with root privileges on the underlying operating system.

The CVSS score of 9.8 underscores the extreme severity of this flaw. By obtaining root access via the VPN service, an attacker can bypass security controls, pivot into the internal network, or disable security logging. This poses a catastrophic risk to organizational data integrity and availability, particularly in environments relying on these devices for secure remote connectivity.

Immediate Action: Apply the latest firmware updates provided by InHand Networks to all affected IR-series gateways as outlined in the vendor advisory.

Proactive Monitoring: Review system logs for unauthorized configuration changes or anomalous command-line activity that may indicate an attempt to exploit the VPN interface.

Compensating Controls: Implement strict network access control lists (ACLs) to limit access to the device management interfaces to authorized management workstations only.

Public Exploit Available: false

This vulnerability is critical and requires immediate attention. Security teams must coordinate with network administrators to identify and patch all affected InHand Networks hardware to prevent potential remote code execution and subsequent system compromise.