InHand Networks IR615 Router (Update A)

Plan PatchCVSS 9.8ICS-CERT ICSA-21-280-05Oct 7, 2021

Attack path

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

InHand Networks IR615 Router firmware version 2.3.0.r5417 and earlier contains multiple vulnerabilities including authorization bypass (CWE-285, CWE-352), weak cryptography (CWE-326, CWE-307, CWE-521), insecure file upload (CWE-434), command injection (CWE-78), and other flaws. These allow unauthenticated remote attackers to execute arbitrary code, steal credentials and session data, upload malicious files, delete system files, brute-force user accounts, and gain full control of the device. The vulnerabilities can be exploited with low complexity from the network without any user credentials or interaction.

What this means

What could happen

An attacker with network access to the IR615 router can gain full administrative control, execute arbitrary code, steal credentials and communications, or cause operational disruption by uploading malicious files or deleting system files.

Who's at risk

Water authorities, electric utilities, and other critical infrastructure organizations using InHand IR615 routers for SCADA/remote access to PLC, RTU, or field equipment should prioritize this issue. The router is commonly deployed as a remote site gateway and a compromise could expose the entire site network.

How it could be exploited

An attacker on the network can send a specially crafted request to the IR615 to exploit one of the authorization, input validation, or weak cryptography flaws. This allows bypass of login controls and execution of arbitrary commands on the router, which could redirect traffic, intercept sensitive data, or disrupt connectivity to remote sites and control systems.

Prerequisites

Network access to the IR615 (direct LAN or routed IP connectivity)
Device running firmware version 2.3.0.r5417 or earlier

Remotely exploitableNo authentication requiredLow complexityHigh CVSS (9.8)No patch availableMultiple weaknesses (authorization bypass, weak cryptography, file upload, code execution)

Exploitability

Unlikely to be exploited — EPSS score 0.7%

Affected products (1)

ProductAffected VersionsFix Status

IR615 Router:≤ 2.3.0.r54172.3.0.r5484+

Remediation & Mitigation

0/4

Do now

0/3

HARDENINGIsolate the IR615 behind a firewall; restrict inbound network access to only necessary management and site-to-site VPN ports from trusted administrative IP ranges

HARDENINGRestrict direct Internet access to the IR615; use a management network or out-of-band access method (console, serial) for firmware updates and administration

WORKAROUNDMonitor the router for unauthorized login attempts and unusual command execution; enable logging if available and review logs regularly

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade IR615 firmware to version 2.3.0.r5484 or later

CVEs (13)

CVE-2021-38472 CVE-2021-38486 CVE-2021-38480 CVE-2021-38464 CVE-2021-38474 CVE-2021-38484 CVE-2021-38466 CVE-2021-38470 CVE-2021-38478 CVE-2021-38482 CVE-2021-38468 CVE-2021-38476 CVE-2021-38462

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/7a727881-6f37-4766-8e47-44145028bed8

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.