Impact
The vulnerability originates from insufficient sanitization of the name parameter in the firmware of Turck Managed Ethernet Switches, allowing a remote attacker with low privileges to inject arbitrary commands into the system. This flaw provides the attacker the ability to execute commands with the privileges of the affected service, potentially leading to full system compromise. The weakness is a classic command injection (CWE‑78) and directly impacts confidentiality, integrity and availability.
Affected Systems
Turck TBEN‑L4‑SE‑M2, Turck TBEN‑L5‑SE‑M2 and Turck TBEN‑LL‑SE‑M2 devices running versions not specified in the advisory are affected. The CVE does not provide explicit version ranges, so any deployment of these models should be examined for the presence of this flaw until a patch is applied.
Risk and Exploitability
The CVSS score of 8.7 classifies the issue as high severity, and an EPSS of 1 % indicates a non‑zero but low exploitation probability at the time of reporting. The vulnerability is not listed in CISA KEV, suggesting no publicly known active exploits yet. The likely attack vector is a remote attacker sending a crafted name field to the device’s management interface over a network reachable by the attacker, possibly exploiting the device’s default or weak credentials.
OpenCVE Enrichment