CVE-2026-38061
Deferred Deferred - Pending Action

Command Injection in Tenda 5G03 Router

Vulnerability report for CVE-2026-38061, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tenda 5g03 v05.03.02.04

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-38061 is a command injection vulnerability found in Tenda 5G03 devices running firmware version V05.03.02.04. It exists in the function action_set_volume, specifically in the handling of the volume parameter.

The vulnerability occurs because the volume parameter is not properly sanitized, allowing an attacker to inject and execute arbitrary shell commands on the device.

For example, an attacker can send a crafted request with a payload like '1; touch /tmp/VOLUME_VULN_PROVED; #' in the volume field, which causes the device to execute the injected command.

Impact Analysis

This vulnerability allows an attacker to execute arbitrary commands on the affected Tenda 5G03 device remotely.

Such command injection can lead to unauthorized control over the device, potentially allowing attackers to alter device behavior, access sensitive information, or use the device as a foothold for further attacks within a network.

Detection Guidance

This vulnerability can be detected by sending a crafted request to the vulnerable Tenda 5G03 device targeting the `action_set_volume` function with a specially crafted `volume` parameter.

For example, sending a request with the volume parameter set to `1; touch /tmp/VOLUME_VULN_PROVED; #` will execute arbitrary shell commands if the device is vulnerable.

If the file `/tmp/VOLUME_VULN_PROVED` is created on the device, it confirms the presence of the command injection vulnerability.

Mitigation Strategies

To mitigate the CVE-2026-38061 vulnerability, you should immediately update the firmware of your Tenda 5G03 device to a version later than V05.03.02.04 where the command injection flaw in the action_set_volume function is fixed.

If an immediate firmware update is not possible, restrict access to the device's administrative interfaces to trusted networks only, and avoid sending or accepting untrusted input to the volume parameter to prevent exploitation.

Monitor the device for any unusual files or commands, such as the creation of files like /tmp/VOLUME_VULN_PROVED, which indicate exploitation attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38061. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart