Teltonika
Products
12- 9 CVEs
- 7 CVEs
- 3 CVEs
- 2 CVEs
- 2 CVEs
- 2 CVEs
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
- 1 CVE
Recent CVEs
29| CVE | Vendor / Product | Sev | Risk | CVSS | EPSS | KEV | Published | Description |
|---|---|---|---|---|---|---|---|---|
| CVE-2017-8116 | Cri | 0.64 | 9.8 | 0.05 | Jul 3, 2017 | The management interface for the Teltonika RUT9XX routers (aka LuCI) with firmware 00.03.265 and earlier allows remote attackers to execute arbitrary commands with root privileges via shell metacharacters in the username parameter in a login request. | ||
| CVE-2026-8914 | Hig | 0.55 | — | 0.01 | Jun 5, 2026 | In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the… | ||
| CVE-2025-4687 | Hig | 0.47 | — | 0.00 | May 29, 2025 | In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge.… | ||
| CVE-2024-8256 | Med | 0.38 | — | 0.00 | Dec 10, 2024 | In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access… | ||
| CVE-2018-17532 | 0.06 | — | 0.71 | Oct 15, 2018 | Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with… | |||
| CVE-2023-31728 | 0.00 | — | 0.00 | Feb 17, 2024 | Teltonika RUT240 devices with firmware before 07.04.2, when bridge mode is used, sometimes make SSH and HTTP services available on the IPv6 WAN interface even though the UI shows that they are only available on the LAN interface. | |||
| CVE-2024-22727 | 0.00 | — | 0.00 | Feb 17, 2024 | Teltonika TRB1-series devices with firmware before TRB1_R_00.07.05.2 allow attackers to exploit a firmware vulnerability via Ethernet LAN or USB. | |||
| CVE-2023-32350 | 0.00 | — | 0.01 | May 22, 2023 | Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead… | |||
| CVE-2023-2588 | 0.00 | — | 0.01 | May 22, 2023 | Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System… | |||
| CVE-2023-2587 | 0.00 | — | 0.01 | May 22, 2023 | Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an… | |||
| CVE-2023-2586 | 0.00 | — | 0.01 | May 22, 2023 | Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the "RMS management feature" enabled by default, then an attacker could register… | |||
| CVE-2023-32348 | 0.00 | — | 0.01 | May 22, 2023 | Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices… | |||
| CVE-2023-32347 | 0.00 | — | 0.01 | May 22, 2023 | Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC… | |||
| CVE-2023-32346 | 0.00 | — | 0.01 | May 22, 2023 | Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been… | |||
| CVE-2020-5788 | 0.00 | — | 0.01 | Oct 1, 2020 | Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to delete arbitrary files on disk via the admin/system/admin/certificates/delete action. | |||
| CVE-2020-5787 | 0.00 | — | 0.02 | Oct 1, 2020 | Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to delete arbitrary files on disk via the admin/services/packages/remove action. | |||
| CVE-2020-5785 | 0.00 | — | 0.01 | Oct 1, 2020 | Insufficient output sanitization in Teltonika firmware TRB2_R_00.02.04.3 allows an unauthenticated attacker to conduct reflected cross-site scripting via a crafted ‘action’ or ‘pkg_name’ parameter. | |||
| CVE-2020-5786 | 0.00 | — | 0.09 | Oct 1, 2020 | Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link. | |||
| CVE-2020-5789 | 0.00 | — | 0.01 | Oct 1, 2020 | Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to read the contents of arbitrary files on disk. | |||
| CVE-2020-5784 | 0.00 | — | 0.01 | Oct 1, 2020 | Server-Side Request Forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a low privileged user to cause the application to perform HTTP GET requests to arbitrary URLs. |
- risk 0.64cvss 9.8epss 0.05
The management interface for the Teltonika RUT9XX routers (aka LuCI) with firmware 00.03.265 and earlier allows remote attackers to execute arbitrary commands with root privileges via shell metacharacters in the username parameter in a login request.
- risk 0.55cvss —epss 0.01
In Teltonika Networks RUTOS devices, running versions 7.22 through 7.23.2 and TSWOS devices running versions 1.09 through 1.09.1, due to unsafe calls to an eval function in rpc-profile, a vulnerability exists where a lower privileged user could perform command injection as the…
- risk 0.47cvss —epss 0.00
In Teltonika Networks Remote Management System (RMS), it is possible to perform account pre-hijacking by misusing the invite functionality. If a victim has a pending invite and registers to the platform directly, they are added to the attackers company without their knowledge.…
- risk 0.38cvss —epss 0.00
In Teltonika Networks RUTOS devices, running on versions 7.0 to 7.8 (excluding) and TSWOS devices running on versions 1.0 to 1.3 (excluding), due to incorrect permission handling a vulnerability exists which allows a lower privileged user with default permissions to access…
- CVE-2018-17532Oct 15, 2018risk 0.06cvss —epss 0.71
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with…
- CVE-2023-31728Feb 17, 2024risk 0.00cvss —epss 0.00
Teltonika RUT240 devices with firmware before 07.04.2, when bridge mode is used, sometimes make SSH and HTTP services available on the IPv6 WAN interface even though the UI shows that they are only available on the LAN interface.
- CVE-2024-22727Feb 17, 2024risk 0.00cvss —epss 0.00
Teltonika TRB1-series devices with firmware before TRB1_R_00.07.05.2 allow attackers to exploit a firmware vulnerability via Ethernet LAN or USB.
- CVE-2023-32350May 22, 2023risk 0.00cvss —epss 0.01
Versions 00.07.00 through 00.07.03 of Teltonika’s RUT router firmware contain an operating system (OS) command injection vulnerability in a Lua service. An attacker could exploit a parameter in the vulnerable function that calls a user-provided package name by instead…
- CVE-2023-2588May 22, 2023risk 0.00cvss —epss 0.01
Teltonika’s Remote Management System versions prior to 4.10.0 have a feature allowing users to access managed devices’ local secure shell (SSH)/web management services over the cloud proxy. A user can request a web proxy and obtain a URL in the Remote Management System…
- CVE-2023-2587May 22, 2023risk 0.00cvss —epss 0.01
Teltonika’s Remote Management System versions prior to 4.10.0 contain a cross-site scripting (XSS) vulnerability in the main page of the web interface. An attacker with the MAC address and serial number of a connected device could send a maliciously crafted JSON file with an…
- CVE-2023-2586May 22, 2023risk 0.00cvss —epss 0.01
Teltonika’s Remote Management System versions 4.14.0 is vulnerable to an unauthorized attacker registering previously unregistered devices through the RMS platform. If the user has not disabled the "RMS management feature" enabled by default, then an attacker could register…
- CVE-2023-32348May 22, 2023risk 0.00cvss —epss 0.01
Teltonika’s Remote Management System versions prior to 4.10.0 contain a virtual private network (VPN) hub feature for cross-device communication that uses OpenVPN. It connects new devices in a manner that allows the new device to communicate with all Teltonika devices…
- CVE-2023-32347May 22, 2023risk 0.00cvss —epss 0.01
Teltonika’s Remote Management System versions prior to 4.10.0 use device serial numbers and MAC addresses to identify devices from the user perspective for device claiming and from the device perspective for authentication. If an attacker obtained the serial number and MAC…
- CVE-2023-32346May 22, 2023risk 0.00cvss —epss 0.01
Teltonika’s Remote Management System versions prior to 4.10.0 contain a function that allows users to claim their devices. This function returns information based on whether the serial number of a device has already been claimed, the MAC address of a device has already been…
- CVE-2020-5788Oct 1, 2020risk 0.00cvss —epss 0.01
Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to delete arbitrary files on disk via the admin/system/admin/certificates/delete action.
- CVE-2020-5787Oct 1, 2020risk 0.00cvss —epss 0.02
Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to delete arbitrary files on disk via the admin/services/packages/remove action.
- CVE-2020-5785Oct 1, 2020risk 0.00cvss —epss 0.01
Insufficient output sanitization in Teltonika firmware TRB2_R_00.02.04.3 allows an unauthenticated attacker to conduct reflected cross-site scripting via a crafted ‘action’ or ‘pkg_name’ parameter.
- CVE-2020-5786Oct 1, 2020risk 0.00cvss —epss 0.09
Cross-site request forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a remote attacker to perform sensitive application actions by tricking legitimate users into clicking a crafted link.
- CVE-2020-5789Oct 1, 2020risk 0.00cvss —epss 0.01
Relative Path Traversal in Teltonika firmware TRB2_R_00.02.04.3 allows a remote, authenticated attacker to read the contents of arbitrary files on disk.
- CVE-2020-5784Oct 1, 2020risk 0.00cvss —epss 0.01
Server-Side Request Forgery in Teltonika firmware TRB2_R_00.02.04.3 allows a low privileged user to cause the application to perform HTTP GET requests to arbitrary URLs.