CVE-2026-8914
Received Received - Intake
Command Injection in Teltonika RUTOS and TSWOS Devices

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Teltonika Networks

Description
In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the root user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-05
AI Q&A
2026-06-05
EPSS Evaluated
N/A
NVD
CVE-2026-8914
EUVD
EUVD-2026-34794
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
teltonika_networks rutos 7.22
teltonika_networks rutos 7.23.2
teltonika_networks tswos 1.09
teltonika_networks tswos 1.09.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?

This vulnerability exists in Teltonika Networks RUTOS devices (versions 7.22 through 7.23.2) and TSWOS devices (versions 1.09 through 1.09.1). It is caused by unsafe calls to an eval function in the rpc-profile component, which allows a lower privileged user to perform command injection with root user privileges.


How can this vulnerability impact me? :

The vulnerability allows a lower privileged user to execute commands as the root user on affected devices. This can lead to unauthorized control over the device, potentially compromising its security, integrity, and availability.


What immediate steps should I take to mitigate this vulnerability?

To mitigate the vulnerability in Teltonika Networks RUTOS and TSWOS devices, it is important to keep your devices updated with the latest firmware versions provided by Teltonika Networks.

Teltonika emphasizes a secure software development lifecycle including penetration testing and static code scanning to address vulnerabilities like CVE-2026-8914.

Ensuring your devices are running versions later than those affected (beyond RUTOS 7.23.2 and TSWOS 1.09.1) will help prevent exploitation of this command injection vulnerability.


How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:

The provided information does not explicitly mention the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

However, Teltonika Networks has addressed CVE-2026-8914 by conducting third-party penetration testing and achieving certification under the IEC 62443-4-1:2018 standard, which relates to secure product development lifecycle requirements. They also comply with the Radio Equipment Directive (RED) cybersecurity requirements and emphasize a secure software development lifecycle to mitigate cybersecurity risks.


Ask Our AI Assistant
Need more information? Ask your question to get an AI reply (Powered by our expertise)
0/70
EPSS Chart