CVE-2026-5416

Vulnerability

A command injection vulnerability exists in the Managed Ethernet Switch series TBEN-Lx-SE-M2 (models including TBEN-L4-SE-M2) running firmware versions prior to 2.1.2.0. The issue originates from improper neutralization of special elements used in a name parameter [1]. An attacker with low privileges can send specially crafted input to the vulnerable parameter, which is then processed by the device's command execution path, leading to arbitrary command injection.

Exploitation

An attacker requires low-privileged network access to the managed Ethernet switch. No authentication is necessary beyond the low-privilege level already assumed, and the vulnerability can be triggered remotely without user interaction. By injecting operating system commands into the name parameter (e.g., via a crafted HTTP request or other management interface), the attacker can execute arbitrary commands in the context of the device's firmware [1].

Impact

Successful exploitation results in full compromise of the switch's system. The attacker gains the ability to execute arbitrary commands at a high privilege level, leading to complete loss of confidentiality, integrity, and availability of the device. This can allow unauthorized access to network traffic, modification of device configuration, denial of service, or further lateral movement within the network [1].

Mitigation

TURCK has addressed this vulnerability in firmware version 2.1.2.0, released on 19 May 2026 [1]. Users should upgrade all affected TBEN-Lx-SE-M2 devices to firmware version 2.1.2.0 or later immediately. Discontinuing use of end-of-life models or restricting network access to the management interface may serve as temporary workarounds where patching is not immediately possible. No other mitigations are detailed in the available references [1].