How is CVE-2026-5416 exploited?

Network reachability (required): The attacker must be able to reach the switch's management interface over the network; the vulnerability is exposed remotely via AV:N. Authentication (required): A valid low-privilege account on the device is sufficient; no administrator or elevated credentials are needed (PR:L). Victim interaction (not-required): No user action is needed; the attacker exploits the vulnerability entirely without involving another person (UI:N). Attack complexity (info): Exploitation is reliable and condition-free; no race conditions or special environmental factors are required (AC:L, AT:N).

What is the impact of CVE-2026-5416?

The attacker executes arbitrary operating system commands on the switch, achieving full system compromise. All stored configuration, credentials, and secrets held on the device are readable by the attacker (VC:H). The attacker can modify switch configuration, routing tables, and persisted settings (VI:H). The attacker can crash or fully disable the switch, disrupting all network traffic it carries (VA:H).

Back to search

HIGHCVE-2026-5416Published 2026-06-16Modified 2026-06-16CNA CERTVDE

CVE-2026-5416: Command Injection via name parameter

Due to the improper neutralization of special elements used in a name parameter a low privileged remote attacker can exploit a command injection vulnerability in the Managed Ethernet Switch, resulting in full system compromise.

CVSS v4.0: 8.7
Severity: HIGH
Fixed in: —
Affected Products: 3

HarborGuard Analysis

Synopsis

Command injection in the name parameter of TURCK Managed Ethernet Switch firmware (TBEN-LL-SE-M2, TBEN-L4-SE-M2, and TBEN-L5-SE-M2 at versions 2.0.6.0 and below) allows a remote attacker with a low-privilege account to inject arbitrary operating system commands over the network without victim interaction. Successful exploitation gives the attacker full control of the affected device, including reading, modifying, and disrupting all switch functions. No fix version has been published; HarborGuard is tracking this advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-5416 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against customer images, including custom-built images that bundle affected TURCK firmware versions. Any image found running firmware at or below version 2.0.6.0 on the affected TBEN switch models is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 8.7 (HIGH) using the CVSS v4.0 vector and weights the finding against each environment's compliance policy to determine urgency and routing. The resulting alert is directed to the appropriate team inbox within the customer organization based on asset ownership and policy configuration.

Available

Patch

Because no fix version has been published upstream, HarborGuard re-checks the CERTVDE advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that point.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must be able to reach the switch's management interface over the network; the vulnerability is exposed remotely via AV:N.
AuthenticationRequired
A valid low-privilege account on the device is sufficient; no administrator or elevated credentials are needed (PR:L).
Victim interactionNot required
No user action is needed; the attacker exploits the vulnerability entirely without involving another person (UI:N).
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions or special environmental factors are required (AC:L, AT:N).

Blast Radius

The attacker executes arbitrary operating system commands on the switch, achieving full system compromise.
All stored configuration, credentials, and secrets held on the device are readable by the attacker (VC:H).
The attacker can modify switch configuration, routing tables, and persisted settings (VI:H).
The attacker can crash or fully disable the switch, disrupting all network traffic it carries (VA:H).

How HarborGuard Handles This

Available on HarborGuard: detection for this CVE is active for all images in customer registries and CI pipelines, with matching occurring within minutes of the advisory ingest. Because no upstream fix exists yet, HarborGuard monitors the CERTVDE advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment a fix version is published; customers with auto-remediation enabled will receive the rebuild, regression test run, and a PR against affected workloads without manual intervention. In the interim, compensating controls worth considering include network-policy isolation to restrict access to the switch management interface to trusted hosts only, egress filtering to limit lateral movement from a compromised device, and disabling remote management access where operationally feasible. HarborGuard will surface this CVE as an open finding until an upstream patch is available and incorporated into a confirmed clean image.

See how HarborGuard automates this

Affected packages

TURCK / TBEN-LL-SE-M2
≤ 2.0.6.0
TURCK / TBEN-L4-SE-M2
≤ 2.0.6.0
TURCK / TBEN-L5-SE-M2
≤ 2.0.6.0

CVSS Vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

certvde.com

Metrics

Get notified