Cyber Resilience

CVE-2023-22598

HighRCE

Published: 12 January 2023

Published
12 January 2023
Modified
21 November 2024
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0153 81.7th percentile
Risk Priority 15 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2023-22598 is a high-severity OS Command Injection (CWE-78) vulnerability in Inhandnetworks Inrouter302 Firmware. Its CVSS base score is 7.2 (High).

Operationally, ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.

Deeper analysis

InHand Networks InRouter 302 prior to version IR302 V3.5.56 and InRouter 615 prior to version InRouter6XX-S-V2.3.0.r5542 are affected by an OS command injection vulnerability tracked as CWE-78. The flaw resides in the handling of configuration update files submitted through the local web interface or associated cloud management account, allowing improper neutralization of special elements used in operating system commands.

An attacker with privileged access to either the web interface or the cloud account can upload a specially crafted configuration file that results in remote code execution with root privileges on the affected router. The CVSS 3.1 score of 7.2 reflects the requirement for high privileges and the high impact on confidentiality, integrity, and availability.

CISA has published advisory ICSA-23-012-03 detailing the issue. The EPSS score rose materially from a low baseline to a peak of 0.2350 on 2025-01-22 before receding to the current value of 0.0153, indicating that exploitation interest increased well after initial disclosure.

EU & UK References

Vulnerability details

InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). An unauthorized user with privileged access to the…

more

local web interface or the cloud account managing the affected devices could push a specially crafted configuration update file to gain root access. This could lead to remote code execution with root privileges.

CWE(s)

Related Threats

No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.

Affected Assets

inhandnetworks
inrouter302 firmware
≤ 3.5.56
inhandnetworks
inrouter615-s firmware
≤ 2.3.0.r5542

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-78

Platform-independent apps typically execute inside a managed runtime or sandbox that restricts direct OS command execution, reducing the ability to exploit OS command injection.

addresses: CWE-78

Validates inputs to block special elements that would alter OS command execution.

References