PT-2026-44404 · Ir302+4 · Ir302+4

Published

2026-05-28

Updated

2026-05-29

CVE-2026-38703

CVSS v3.1

9.8

Critical

Vector

AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Name of the Vulnerable Software and Affected Versions IR302 versions prior to 3.5.108 IR305 versions prior to 1.0.118 IR315 versions prior to 1.0.118 IR615 versions prior to 1.0.118

Description A command injection issue exists in the ZeroTier VPN feature. This allows remote attackers to execute arbitrary commands and obtain ROOT privileges on the target devices.

Recommendations Update IR302 to version 3.5.108 or later. Update IR305 to version 1.0.118 or later. Update IR315 to version 1.0.118 or later. Update IR615 to version 1.0.118 or later. As a temporary workaround, consider disabling the ZeroTier VPN feature to minimize the risk of exploitation.

Fix

Command Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

dbugs@ptsecurity.com

Weakness Enumeration

CWE-77

Related Identifiers

CVE-2026-38703

Affected Products

Ir302

Ir305

Ir315

Ir615

Zerotier

PT-2026-44404 · Ir302+4 · Ir302+4

CVE-2026-38703

Weakness Enumeration

Related Identifiers

Affected Products

References · 4