CVE-2026-8914 PUBLISHED

Command injection in Profile change function

Assigner: tlt_net
Reserved: 19.05.2026 Published: 05.06.2026 Updated: 05.06.2026

In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the root user.

Metrics

CVSS Vector: CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
CVSS Score: 8.4

Product Status

Vendor Teltonika Networks
Product RUTOS
Versions Default: unaffected
  • affected from 7.22 to 7.23.2 (incl.)
Vendor Teltonika Networks
Product TSWOS
Versions Default: unaffected
  • affected from 1.09 to 1.09.1 (incl.)

Solutions

Update to TSWOS 1.10 or later.

References

Problem Types

  • CWE-95 Improper neutralization of directives in dynamically evaluated code ('eval injection') CWE

Impacts

  • CAPEC-35 Leverage Executable Code in Non-Executable Files