Executive Summary

CVE-2026-5339 is a command injection vulnerability found in the Tenda G103 GPON optical network terminal, specifically in the function action_set_net_settings within the gpon.lua file.

The vulnerability occurs because the authLoid parameter (and related parameters) are not properly sanitized and are directly concatenated into system commands without input validation.

An authenticated attacker can inject arbitrary shell commands by including special shell characters such as backticks, semicolons, or logical operators in the authLoid parameter.

These injected commands are executed with root privileges, potentially allowing the attacker to fully compromise the device.

Exploitation requires a valid session token and authentication cookies, meaning the attacker must be authenticated to the device.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an authenticated attacker to execute arbitrary system commands with root privileges on the affected Tenda G103 device.

Successful exploitation can lead to full device compromise, including unauthorized control over device settings, data, and network traffic.

Such control could be used to disrupt network operations, intercept or manipulate data, or use the device as a foothold for further attacks within the network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by attempting to exploit the command injection via the vulnerable parameter `authLoid` in the `action_set_net_settings` function. A proof of concept involves sending a crafted POST request to the endpoint `/cgi-bin/luci/;stok=<session_token>/admin/gpon/set-net-settings` with a payload that includes shell metacharacters.

For example, sending a payload like `authLoid=1`touch$IFS/tmp/authLoid.txt`` attempts to create a file `/tmp/authLoid.txt` on the device. If this file is created, it confirms the vulnerability.

Detection requires valid authentication (a session token and cookies). Monitoring for unusual POST requests to `/cgi-bin/luci/` with suspicious parameters containing shell metacharacters such as backticks (`), semicolons (;), or logical operators (&&) can also help identify exploitation attempts.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows authenticated attackers to execute arbitrary commands with root privileges on the Tenda G103 device, potentially leading to full device compromise.

Such a compromise could result in unauthorized access to sensitive data or disruption of device functionality, which may impact compliance with standards and regulations like GDPR or HIPAA that require protection of personal and sensitive information.

However, the provided information does not explicitly detail the direct effects on compliance with these standards.

Useful 0 Not Useful 0

Mitigation Strategies

To mitigate the vulnerability in Tenda G103 1.0.0.5 related to command injection in the action_set_net_settings function, immediate steps include restricting access to the device's administrative interface to trusted users only.

Ensure that only authenticated and authorized users have access, as exploitation requires valid authentication tokens and session cookies.

Monitor and limit the use of the vulnerable parameters (authLoid, authLoidPassword, authPassword, authSerialNo, authType, oltType, usVlanId, usVlanPriority) to prevent injection of malicious input.

If possible, apply any available patches or updates from the vendor that address this issue.

As a temporary measure, consider isolating the device from untrusted networks to reduce the risk of remote exploitation.

Useful 0 Not Useful 0