CVE-2026-8914
Awaiting Analysis Awaiting Analysis - Queue
Command Injection in Teltonika RUTOS and TSWOS Devices

Publication date: 2026-06-05

Last updated on: 2026-06-05

Assigner: Teltonika Networks

Description
In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the root user.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-05
Last Modified
2026-06-05
Generated
2026-06-25
AI Q&A
2026-06-05
EPSS Evaluated
2026-06-24
NVD
CVE-2026-8914
EUVD
EUVD-2026-34794
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
teltonika_networks rutos 7.22
teltonika_networks rutos 7.23.2
teltonika_networks tswos 1.09
teltonika_networks tswos 1.09.1
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in Teltonika Networks RUTOS devices (versions 7.22 through 7.23.2) and TSWOS devices (versions 1.09 through 1.09.1). It is caused by unsafe calls to an eval function in the rpc-profile component, which allows a lower privileged user to perform command injection with root user privileges.

Impact Analysis

The vulnerability allows a lower privileged user to execute commands as the root user on affected devices. This can lead to unauthorized control over the device, potentially compromising its security, integrity, and availability.

Mitigation Strategies

To mitigate the vulnerability in Teltonika Networks RUTOS and TSWOS devices, it is important to keep your devices updated with the latest firmware versions provided by Teltonika Networks.

Teltonika emphasizes a secure software development lifecycle including penetration testing and static code scanning to address vulnerabilities like CVE-2026-8914.

Ensuring your devices are running versions later than those affected (beyond RUTOS 7.23.2 and TSWOS 1.09.1) will help prevent exploitation of this command injection vulnerability.

Compliance Impact

The provided information does not explicitly mention the impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

However, Teltonika Networks has addressed CVE-2026-8914 by conducting third-party penetration testing and achieving certification under the IEC 62443-4-1:2018 standard, which relates to secure product development lifecycle requirements. They also comply with the Radio Equipment Directive (RED) cybersecurity requirements and emphasize a secure software development lifecycle to mitigate cybersecurity risks.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-8914. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart