Skip to main content

Teltonika RUTOS EUVDEUVD-2026-34794

| CVE-2026-8914 HIGH
Eval Injection (CWE-95)
2026-06-05 tlt_net GHSA-7p37-7qj9-8qff
8.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
8.4 HIGH
CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
X

Lifecycle Timeline

3
Analysis Generated
Jun 05, 2026 - 13:30 vuln.today
CVSS changed
Jun 05, 2026 - 11:22 NVD
8.4 (HIGH)
CVE Published
Jun 05, 2026 - 09:36 nvd
UNKNOWN (no severity yet)

DescriptionCVE.org

In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the root user.

AnalysisAI

Privilege escalation via eval-based command injection in Teltonika Networks RUTOS (7.22-7.23.2) and TSWOS (1.09-1.09.1) allows an authenticated lower-privileged operator to execute arbitrary commands as root through the rpc-profile component. The flaw stems from unsafe evaluation of user-controllable input in a Lua/UCI RPC handler and is constrained to local/management-plane access, with no public exploit identified at time of analysis. The CVSS 4.0 score of 8.4 reflects total host compromise once a low-tier admin account is obtained on the device.

Technical ContextAI

Teltonika RUTOS and TSWOS are OpenWrt-derived firmware platforms used on RUT-series industrial cellular routers and TSW-series managed switches. The 'rpc-profile' endpoint is part of the device's ubus/RPC management surface (typically reachable via the WebUI or rpcd over local network), which exposes configuration profile operations. CWE-95 (Eval Injection) applies because the handler passes operator-supplied parameters into a dynamic evaluation primitive - almost certainly a Lua loadstring/eval or shell eval invocation - without sanitization, so syntactically valid payloads are executed in the privileged context of the rpcd worker, which runs as root. CPE strings cpe:2.3:a:teltonika_networks:rutos:*:* and :tswos:*:* confirm both product lines share the vulnerable component.

RemediationAI

Patch available per vendor advisory - consult the Teltonika Networks Security Centre at https://www.teltonika-networks.com/support/security-centre for the exact fixed firmware build for your device model and upgrade RUTOS beyond 7.23.2 and TSWOS beyond 1.09.1 once the vendor-listed release is identified (no specific fix version is independently confirmable from the data provided here). Until patched, restrict who holds non-root admin profiles on these devices: remove or downgrade unnecessary user accounts, audit existing role assignments, and ensure the WebUI/rpcd management interfaces are reachable only from a hardened management VLAN or VPN - accepting the operational trade-off that legitimate operators must use that bastioned path. Network-level egress filtering from the device itself can blunt post-exploitation pivoting but does not block the root escalation. Do not expose the management interface to the WAN.

Share

EUVD-2026-34794 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy