How is CVE-2026-8914 exploited?

Network reachability (not-required): The attack vector is local (AV:L), meaning the attacker needs an existing shell or process on the host rather than any over-the-network access. Authentication (required): A privileged account (PR:H) is required, meaning the attacker must already hold an admin or similarly elevated credential on the device before exploiting the vulnerability. Victim interaction (not-required): No victim interaction is needed (UI:N); the attacker can carry out the injection entirely on their own without involving another user. Attack complexity (info): Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other variable environmental factors.

What is the impact of CVE-2026-8914?

A successful attacker executes arbitrary OS commands as root, gaining full control over the device's operating environment. All stored configuration data, credentials, and secrets held on the device are readable by the attacker. The attacker can modify persisted device configuration, including network routing rules, firewall policy, and user account definitions. The attacker can crash or restart any running service on the device, disrupting network connectivity or management functions.

Back to search

HIGHCVE-2026-8914Published 2026-06-05Modified 2026-06-05CNA tlt_net

CVE-2026-8914: Command injection in Profile change function

In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the root user.

CVSS v4.0: 8.4
Severity: HIGH
Fixed in: —
Affected Products: 2

HarborGuard Analysis

Synopsis

Command injection in the profile change function (rpc-profile) affects Teltonika Networks RUTOS devices running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1. The vulnerability stems from unsafe use of an eval function call that fails to sanitize user input, allowing a low-privileged authenticated user to inject and execute arbitrary commands as root. Successful exploitation gives the attacker full root-level control over the device, including read and write access to all data and system configuration. HarborGuard is tracking the advisory for patch availability, as no fix version has been published upstream.

HarborGuard Coverage

Detection

Detection for CVE-2026-8914 is available across every HarborGuard environment; the CVE is ingested from upstream feeds and matched against customer images within minutes of publication, including custom-built images that bundle RUTOS or TSWOS firmware components.

Available

Triage

HarborGuard scores this CVE at 8.4 HIGH using the CVSS v4.0 vector and is capable of weighting that score against each customer environment's compliance policy to determine urgency. Findings are routable to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment Teltonika Networks ships a corrected release. In the interim, customers can use HarborGuard's compensating-control recommendations to apply network-policy isolation and access restrictions to affected workloads.

Pending upstream

Exploit Conditions

Network reachabilityNot required
The attack vector is local (AV:L), meaning the attacker needs an existing shell or process on the host rather than any over-the-network access.
AuthenticationRequired
A privileged account (PR:H) is required, meaning the attacker must already hold an admin or similarly elevated credential on the device before exploiting the vulnerability.
Victim interactionNot required
No victim interaction is needed (UI:N); the attacker can carry out the injection entirely on their own without involving another user.
Attack complexityDetail
Attack complexity is low (AC:L), meaning the exploit is reliable and does not depend on race conditions, special memory layouts, or other variable environmental factors.

Blast Radius

A successful attacker executes arbitrary OS commands as root, gaining full control over the device's operating environment.
All stored configuration data, credentials, and secrets held on the device are readable by the attacker.
The attacker can modify persisted device configuration, including network routing rules, firewall policy, and user account definitions.
The attacker can crash or restart any running service on the device, disrupting network connectivity or management functions.

How HarborGuard Handles This

Available on HarborGuard: the platform ingests the CVE-2026-8914 advisory on every feed cycle and matches it against any customer image that bundles affected RUTOS or TSWOS versions. Because Teltonika Networks has not yet published a fix, no patched-image rebuild is available at this time; HarborGuard will generate and surface that rebuild automatically as soon as an upstream fix version is released. For customers who opt into auto-remediation, the rebuild will be followed by a regression test run and a PR opened against affected workloads without manual intervention. While no patch exists, HarborGuard's policy engine can flag affected images for compensating controls: tightening network-policy rules to restrict local shell access, enforcing least-privilege account policies to limit who holds the high-privilege credentials this exploit requires, and enabling egress filtering to reduce post-exploitation reach. Customers should review HarborGuard findings for any image that includes rpc-profile from the affected version ranges and treat those images as requiring elevated monitoring until upstream ships a fix.

See how HarborGuard automates this

Affected packages

Teltonika Networks / RUTOS
≤ 7.23.2
Teltonika Networks / TSWOS
≤ 1.09.1

CVSS Vector

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

References

teltonika-networks.com

Metrics

Get notified