Changelog CVE clarification

bjze · May 22, 2026, 11:29am

Hello,

In release changelog for RUT9M_R_GPL_00.07.23.3, theres mention of CVE-2026-8914 with status “HIGH” having been fixed. However I cannot find any references to that CVE or information about what it actually is about on the internet. Is the number correct in the changelog or is it typo:ed and should be something else?

Can you please elaborate?

Bjorn · May 28, 2026, 7:57am

The same applies to firmware for several other units as well, e.g. TRB500_R_00.07.23.3 and TRB16_R_00.07.23.3.

Looking forward to a quick response from Teltonika.

#Firmware #FW #CVE

Justinas · May 28, 2026, 8:11pm

Greetings,

I will consult with our research and development team regarding the CVE-2026-8914 and will get back to you once I have an update.

Best Regards,
Justinas

Bjorn · June 4, 2026, 8:34am

@Justinas Could I gently remind you about this topic?

rmelior · June 9, 2026, 1:31pm

Hello,

I had the same question but now some websites gives information about the CVE :

https://www.cve.org/CVERecord?id=CVE-2026-8914

Command injection in Profile change function

In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the root user.

CVSS:4.0/AV:L/AC:L/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N (not complex, high consequences but privileges are required and local vector)

Justinas · June 16, 2026, 1:09pm

Greetings,

This is a command injection vulnerability, which you can read about here: Security Centre

The CVE ID was published and the information is available now.

The CVSS may be high, but in practice it is not a dangerous vulnerability for most users. This is how it may be exploited:

Device must usejson-rpc package, which must be downloaded via Package Manager, as the vulnerability is only exploitable via ubus calls, not via WebUI. It must also support multi-users as the attack is only practical from a lower privileged user, as admin users already can execute commands with root privileges. https://wiki.teltonika-networks.com/view/Monitoring_via_JSON-RPC_linux_RutOS
SMS Utilities is also affected, if the user utilizes SMS utilities and has provided this functionality to a lower privileged user, it can be exploited.

Best Regards,
Justinas

heartless · June 16, 2026, 4:27pm

Many people fail to understand that. They see high severity score, and they start to panic. Thats not how it works. CVE can have 10/10 rating but in reality is pretty harmless because it requires local access. If someone has local access to your equipment, then you have much bigger problem.