Executive Summary

CVE-2026-38061 is a command injection vulnerability found in Tenda 5G03 devices running firmware version V05.03.02.04. It exists in the function action_set_volume, specifically in the handling of the volume parameter.

The vulnerability occurs because the volume parameter is not properly sanitized, allowing an attacker to inject and execute arbitrary shell commands on the device.

For example, an attacker can send a crafted request with a payload like '1; touch /tmp/VOLUME_VULN_PROVED; #' in the volume field, which causes the device to execute the injected command.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected Tenda 5G03 device remotely.

Such command injection can lead to unauthorized control over the device, potentially allowing attackers to alter device behavior, access sensitive information, or use the device as a foothold for further attacks within a network.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by sending a crafted request to the vulnerable Tenda 5G03 device targeting the `action_set_volume` function with a specially crafted `volume` parameter.

For example, sending a request with the volume parameter set to `1; touch /tmp/VOLUME_VULN_PROVED; #` will execute arbitrary shell commands if the device is vulnerable.

If the file `/tmp/VOLUME_VULN_PROVED` is created on the device, it confirms the presence of the command injection vulnerability.

Useful 0 Not Useful 0