Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the root user.
AnalysisAI
Privilege escalation via eval-based command injection in Teltonika Networks RUTOS (7.22-7.23.2) and TSWOS (1.09-1.09.1) allows an authenticated lower-privileged operator to execute arbitrary commands as root through the rpc-profile component. The flaw stems from unsafe evaluation of user-controllable input in a Lua/UCI RPC handler and is constrained to local/management-plane access, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.4 reflects total host compromise once a low-tier admin account is obtained on the device.
Technical ContextAI
Teltonika RUTOS and TSWOS are OpenWrt-derived firmware platforms used on RUT-series industrial cellular routers and TSW-series managed switches. The 'rpc-profile' endpoint is part of the device's ubus/RPC management surface (typically reachable via the WebUI or rpcd over local network), which exposes configuration profile operations. CWE-95 (Eval Injection) applies because the handler passes operator-supplied parameters into a dynamic evaluation primitive - almost certainly a Lua loadstring/eval or shell eval invocation - without sanitization, so syntactically valid payloads are executed in the privileged context of the rpcd worker, which runs as root. CPE strings cpe:2.3:a:teltonika_networks:rutos:*:* and :tswos:*:* confirm both product lines share the vulnerable component.
RemediationAI
Patch available per vendor advisory - consult the Teltonika Networks Security Centre at https://www.teltonika-networks.com/support/security-centre for the exact fixed firmware build for your device model and upgrade RUTOS beyond 7.23.2 and TSWOS beyond 1.09.1 once the vendor-listed release is identified (no specific fix version is independently confirmable from the data provided here). Until patched, restrict who holds non-root admin profiles on these devices: remove or downgrade unnecessary user accounts, audit existing role assignments, and ensure the WebUI/rpcd management interfaces are reachable only from a hardened management VLAN or VPN - accepting the operational trade-off that legitimate operators must use that bastioned path. Network-level egress filtering from the device itself can blunt post-exploitation pivoting but does not block the root escalation. Do not expose the management interface to the WAN.
Same weakness CWE-95 – Eval Injection
View allSame technique Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-34794
GHSA-7p37-7qj9-8qff