Teltonika Remote Management System and RUT Model Routers

Act Now9ICS-CERT ICSA-23-131-08May 11, 2023

Attack VectorNetwork

Auth RequiredNone

ComplexityHigh

User InteractionNone needed

Summary

Multiple vulnerabilities exist in Teltonika Remote Management System (RMS) versions before 4.10.0 and 4.14.0, and RUT model routers firmware versions 00.07.00 through 00.07.03.4. These include CWE-287 (improper authentication), CWE-918 (server-side request forgery), CWE-79 (cross-site scripting), CWE-78 (OS command injection), and information disclosure flaws. Successful exploitation allows attackers to extract device credentials and configuration data, execute remote commands on the device, enumerate connected devices managed through the system, and impersonate legitimate devices on the network. The vulnerabilities require network access but do not require authentication or user interaction.

What this means

What could happen

An attacker with network access to a Teltonika RMS or RUT router could extract device credentials and sensitive configuration data, execute arbitrary commands on the device, and gain visibility into all connected devices managed through the system—potentially allowing them to compromise the entire network.

Who's at risk

This affects water utilities, municipalities, and industrial operators who use Teltonika Remote Management System (RMS) or RUT series industrial routers for network management and remote connectivity. Any organization using these devices for SCADA network access or equipment management should prioritize this advisory.

How it could be exploited

An attacker with network access to the RMS or RUT device can exploit multiple authentication and injection vulnerabilities to bypass security checks, gain unauthorized access, and execute commands. The attack does not require user interaction or valid credentials.

Prerequisites

Network access to the RMS or RUT device on ports used for management (typically HTTP/HTTPS)
Device running affected RMS firmware <4.10.0 or <4.14.0, or RUT firmware >=00.07.00 and <=00.07.03.4

remotely exploitableno authentication requiredlow complexityno patch available for some variantsaffects network management infrastructuredefault or weak credentials may be presentaffects visibility of critical devices

Exploitability

Low exploit probability (EPSS 0.8%)

Affected products (4)

2 with fix2 EOL

ProductAffected VersionsFix Status

Remote Management System (RMS): <4.10.0<4.10.04.10.0 or later (note: versions <4.10.0 have no fix; versions <4.14.0 have fixes in 4.14.0 or later)

Remote Management System (RMS): <4.14.0<4.14.04.10.0 or later (note: versions <4.10.0 have no fix; versions <4.14.0 have fixes in 4.14.0 or later)

RUT model routers: >=00.07.00|<=00.07.03.4≥ 00.07.00|≤ 00.07.03.4No fix (EOL)

RUT model routers: >=00.07.00|<=00.07.03≥ 00.07.00|≤ 00.07.03No fix (EOL)

Remediation & Mitigation

0/5

Do now

0/4

Remote Management System (RMS): <4.10.0

HOTFIXUpdate RMS to the latest version published by Teltonika (versions 4.10.0 or later for affected instances)

HARDENINGIsolate RMS and RUT devices from the Internet and place them behind a firewall with network segmentation from business networks

All products

HOTFIXUpdate RUT routers to the latest firmware available on Teltonika's website (versions later than 00.07.03.4)

HARDENINGIf remote management is necessary, restrict access to a secure VPN with network access controls and IP allowlisting for authorized administrators only

Schedule — requires maintenance window

0/1

Patching may require device reboot — plan for process interruption

Remote Management System (RMS): <4.10.0

HARDENINGReview and monitor all device management traffic for suspicious activity; log and audit all administrative access to RMS and RUT devices

CVEs (8)

CVE-2023-32346 CVE-2023-32347 CVE-2023-32348 CVE-2023-2586 CVE-2023-2587 CVE-2023-2588 CVE-2023-32349 CVE-2023-32350

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/17360f58-0a81-4167-9e25-d827ec6fb5fa