CVE-2023-22598
Published: 12 January 2023
Summary
CVE-2023-22598 is a high-severity OS Command Injection (CWE-78) vulnerability in Inhandnetworks Inrouter302 Firmware. Its CVSS base score is 7.2 (High).
Operationally, ranked in the top 18.3% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
Deeper analysis
InHand Networks InRouter 302 prior to version IR302 V3.5.56 and InRouter 615 prior to version InRouter6XX-S-V2.3.0.r5542 are affected by an OS command injection vulnerability tracked as CWE-78. The flaw resides in the handling of configuration update files submitted through the local web interface or associated cloud management account, allowing improper neutralization of special elements used in operating system commands.
An attacker with privileged access to either the web interface or the cloud account can upload a specially crafted configuration file that results in remote code execution with root privileges on the affected router. The CVSS 3.1 score of 7.2 reflects the requirement for high privileges and the high impact on confidentiality, integrity, and availability.
CISA has published advisory ICSA-23-012-03 detailing the issue. The EPSS score rose materially from a low baseline to a peak of 0.2350 on 2025-01-22 before receding to the current value of 0.0153, indicating that exploitation interest increased well after initial disclosure.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2023-26735
Vulnerability details
InHand Networks InRouter 302, prior to version IR302 V3.5.56, and InRouter 615, prior to version InRouter6XX-S-V2.3.0.r5542, contain vulnerability CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection'). An unauthorized user with privileged access to the…
more
local web interface or the cloud account managing the affected devices could push a specially crafted configuration update file to gain root access. This could lead to remote code execution with root privileges.
- CWE(s)
Related Threats
No named actor attribution yet. ATT&CK technique mapping in progress for this CVE.
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.