InHand Networks InRouter

Act Now10ICS-CERT ICSA-23-012-03Jan 12, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityLow

User InteractionNone needed

Summary

InHand Networks InRouter302 and InRouter615 devices contain multiple vulnerabilities that allow MQTT command injection, unauthorized information disclosure, and remote code execution. Successful exploitation could result in an attacker gaining full control over cloud-managed InRouter devices reachable via the internet. The vulnerabilities stem from weak or missing input validation (CWE-78, CWE-319), weak credential generation (CWE-330), improper access control (CWE-284), and credential storage issues (CWE-760). An attacker with network access to the device or cloud service can exploit these without authentication to execute arbitrary code, intercept sensitive data, or manipulate device behavior through malicious MQTT messages.

What this means

What could happen

An attacker could execute arbitrary commands on InRouter devices and inject malicious MQTT messages to alter remote device behavior or obtain sensitive device information. If the attacker chains these vulnerabilities, they could fully compromise every cloud-connected InRouter device accessible to them.

Who's at risk

Water utilities, electric utilities, and other critical infrastructure operators who rely on InHand Networks InRouter302 or InRouter615 devices for remote site management and monitoring. These routers are typically deployed at field sites (water pumping stations, electrical substations, remote monitoring points) to provide secure remote access and device management via cloud services.

How it could be exploited

An attacker on the network or internet reaches the InRouter's cloud management interface (no authentication required) and exploits command injection or information disclosure vulnerabilities to gain initial access. From there, they can execute arbitrary commands on the device and send malicious MQTT messages to manipulate connected systems or extract credentials and configuration data.

Prerequisites

Network connectivity to the InRouter or its cloud management service
No credentials required for initial exploitation
Device is reachable via cloud (internet-accessible)

remotely exploitableno authentication requiredlow complexityhigh CVSS score (10)affects cloud-managed infrastructureno patch available for some versions

Exploitability

Low exploit probability (EPSS 0.4%)

Affected products (2)

2 with fix

ProductAffected VersionsFix Status

InRouter302, InRouter615: InRouter 615: All< InRouter6XX-S-V2.3.0.r5542V3.5.56 or later

InRouter302, InRouter615: InRouter 302: All< IR302 3.5.56V3.5.56 or later

Remediation & Mitigation

0/5

Do now

0/3

HARDENINGRestrict network access to InRouter devices; ensure they are not directly accessible from the Internet

HARDENINGPlace InRouter devices behind firewalls and isolate them from business networks

HARDENINGIf remote access is required, enforce access through a VPN or secure tunnel rather than direct internet exposure

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate InRouter302 firmware to V3.5.56 or later

HOTFIXUpdate InRouter615 firmware to InRouter6XX-S-V2.3.0.r5542 or later

CVEs (5)

CVE-2023-22597 CVE-2023-22598 CVE-2023-22599 CVE-2023-22600 CVE-2023-22601

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/5bb3b284-e0ba-477d-96f5-45315d4f398b