CVE-2026-38060
Deferred Deferred - Pending Action
Command Injection in Tenda 5G03 Router

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-38060
EUVD
EUVD-2026-36751
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda 5g03 v05.03.02.04
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The CVE-2026-38060 vulnerability affects the Tenda 5G03 router with firmware version V05.03.02.04. It is a command injection flaw in the function action_unlock_sim, specifically in the pin parameter.

This function, located in the router's Lua controller script, does not properly sanitize the pin input, allowing an attacker to inject malicious commands.

By sending a specially crafted request to the router's /cgi-bin/luci/admin/telephony/trigger_sim_unlock endpoint with a manipulated pin value, an attacker can execute arbitrary commands on the device.

Exploitation requires valid session cookies, but once exploited, it can lead to unauthorized command execution on the router.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected Tenda 5G03 router.

Such unauthorized command execution can lead to compromise of the router, including potential control over network traffic, disruption of services, or further attacks on connected devices.

Because the attacker needs valid session cookies, the risk depends on the attacker's ability to obtain or guess these credentials.

Detection Guidance

This vulnerability can be detected by sending a crafted HTTP request to the router's vulnerable endpoint and checking for the creation of a specific file that indicates successful command injection.

Specifically, an attacker can send a request to the `/cgi-bin/luci/admin/telephony/trigger_sim_unlock` endpoint with a specially formatted `pin` parameter that injects a command to create a file named `/tmp/UNLOCK_SIM_VULN_PROVED`.

  • Use a tool like curl to send a POST request with the injected payload in the `pin` parameter, for example: `pin=1234"; touch /tmp/UNLOCK_SIM_VULN_PROVED; #`.
  • Check the device's `/tmp` directory for the presence of the file `UNLOCK_SIM_VULN_PROVED` to confirm vulnerability.

Note that successful exploitation requires valid session cookies, so authentication to the router's web interface is necessary.

Compliance Impact

The provided information does not specify any direct impact of the CVE-2026-38060 vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Mitigation Strategies

To mitigate the CVE-2026-38060 vulnerability in the Tenda 5G03 router, immediate steps include restricting access to the router's web interface, especially the /cgi-bin/luci/admin/telephony/trigger_sim_unlock endpoint.

Ensure that only trusted users have valid session cookies and credentials to prevent unauthorized command injection via the pin parameter.

If possible, disable or restrict the telephony feature or the vulnerable function until a firmware update or patch is available.

Monitor the device for any unusual files or behavior, such as the creation of unexpected files like /tmp/UNLOCK_SIM_VULN_PROVED, which could indicate exploitation attempts.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38060. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart