Executive Summary

The CVE-2026-38062 vulnerability affects the Tenda 5G03 router with firmware version V05.03.02.04. It is a command injection vulnerability in the function action_set_rat_mode, which is located in the /usr/lib/lua/luci/controller/admin/telephony.lua file.

The vulnerability occurs because the function does not properly validate the ratMode parameter. An attacker can exploit this by sending a specially crafted POST request to the /cgi-bin/luci/admin/telephony/trigger_set_nw_rat endpoint with a malicious ratMode value that includes shell commands.

For example, a payload like 4G"; touch /tmp/RAT_MODE_VULN_PROVED; # would execute arbitrary commands on the router, allowing unauthorized command execution.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can allow an attacker to execute arbitrary commands on the affected Tenda 5G03 router remotely. This unauthorized command execution can lead to full compromise of the device.

• Attackers could manipulate router settings or disrupt network operations.
• They might install malicious software or create backdoors for persistent access.
• Sensitive information passing through the router could be intercepted or altered.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking if the Tenda 5G03 router with firmware version V05.03.02.04 is vulnerable to command injection via the ratMode parameter.

One way to test is to send a crafted POST request to the endpoint /cgi-bin/luci/admin/telephony/trigger_set_nw_rat with a malicious ratMode payload that attempts to execute a command.

For example, sending the payload ratMode=4G"; touch /tmp/RAT_MODE_VULN_PROVED; # will create a file /tmp/RAT_MODE_VULN_PROVED if the device is vulnerable.

After sending the request, check the device for the presence of the file /tmp/RAT_MODE_VULN_PROVED to confirm exploitation.

Useful 0 Not Useful 0