CVE-2026-38062
Deferred Deferred - Pending Action

Command Injection in Tenda 5G03 Router

Vulnerability report for CVE-2026-38062, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 2 associated CPEs
Vendor Product Version / Range
tenda 5g03 V05.03.02.04
tenda 5g03 1.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

The CVE-2026-38062 vulnerability affects the Tenda 5G03 router with firmware version V05.03.02.04. It is a command injection vulnerability in the function action_set_rat_mode, which is located in the /usr/lib/lua/luci/controller/admin/telephony.lua file.

The vulnerability occurs because the function does not properly validate the ratMode parameter. An attacker can exploit this by sending a specially crafted POST request to the /cgi-bin/luci/admin/telephony/trigger_set_nw_rat endpoint with a malicious ratMode value that includes shell commands.

For example, a payload like 4G"; touch /tmp/RAT_MODE_VULN_PROVED; # would execute arbitrary commands on the router, allowing unauthorized command execution.

Mitigation Strategies

To mitigate the CVE-2026-38062 vulnerability in the Tenda 5G03 router firmware V05.03.02.04, you should immediately restrict access to the router's administrative interface, especially the endpoint /cgi-bin/luci/admin/telephony/trigger_set_nw_rat.

Avoid sending or accepting untrusted input for the ratMode parameter, as it is vulnerable to command injection.

If possible, apply any available firmware updates or patches from the vendor that address this issue.

As a temporary measure, monitor the device for suspicious activity such as unexpected files (e.g., /tmp/RAT_MODE_VULN_PROVED) or unauthorized commands.

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary commands on the affected Tenda 5G03 router remotely. This unauthorized command execution can lead to full compromise of the device.

  • Attackers could manipulate router settings or disrupt network operations.
  • They might install malicious software or create backdoors for persistent access.
  • Sensitive information passing through the router could be intercepted or altered.
Detection Guidance

This vulnerability can be detected by checking if the Tenda 5G03 router with firmware version V05.03.02.04 is vulnerable to command injection via the ratMode parameter.

One way to test is to send a crafted POST request to the endpoint /cgi-bin/luci/admin/telephony/trigger_set_nw_rat with a malicious ratMode payload that attempts to execute a command.

For example, sending the payload ratMode=4G"; touch /tmp/RAT_MODE_VULN_PROVED; # will create a file /tmp/RAT_MODE_VULN_PROVED if the device is vulnerable.

After sending the request, check the device for the presence of the file /tmp/RAT_MODE_VULN_PROVED to confirm exploitation.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38062. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart