CVE-2026-38063
Deferred Deferred - Pending Action

Command Injection in Tenda 5G03 Router

Vulnerability report for CVE-2026-38063, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-16
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
tenda 5g03 V05.03.02.04

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The CVE-2026-38063 vulnerability allows an attacker to execute arbitrary commands on the Tenda 5G03 router by exploiting a command injection flaw in the action_radio_on_with_ia_apn function. This unauthorized command execution could potentially lead to unauthorized access, data breaches, or manipulation of device settings.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data, ensuring device integrity, and preventing unauthorized access. If exploited, this vulnerability could lead to violations of these regulations due to compromised confidentiality, integrity, or availability of data handled by the device.

Mitigation Strategies

To mitigate the CVE-2026-38063 vulnerability in the Tenda 5G03 router, immediate steps include avoiding exposure of the vulnerable endpoint to untrusted networks and restricting access to the router's administrative interface.

Specifically, do not send or allow POST requests to the endpoint `/cgi-bin/luci/admin/telephony/trigger_set_radio_on_with_ia` with untrusted input in the `ia` parameter, as it is vulnerable to command injection.

If possible, disable remote administration or restrict it to trusted IP addresses only.

Monitor the device for any suspicious files or commands, such as the presence of `/tmp/RADIO_IA_VULN_PROVED`, which indicates exploitation.

Finally, check for firmware updates or patches from the vendor that address this vulnerability and apply them as soon as they become available.

Executive Summary

The CVE-2026-38063 vulnerability affects the Tenda 5G03 router with firmware version V05.03.02.04. It is a command injection vulnerability located in the function action_radio_on_with_ia_apn, specifically due to improper sanitization of the ia parameter.

An attacker can exploit this vulnerability by sending a specially crafted POST request to the endpoint /cgi-bin/luci/admin/telephony/trigger_set_radio_on_with_ia with a malicious ia parameter. This allows the attacker to execute arbitrary commands on the router.

Impact Analysis

Successful exploitation of this vulnerability grants an attacker the ability to run arbitrary commands on the affected Tenda 5G03 router. This can lead to unauthorized control over the device, potentially allowing the attacker to manipulate router settings, intercept or redirect network traffic, install malicious software, or disrupt network operations.

Detection Guidance

This vulnerability can be detected by attempting to exploit the command injection in the ia parameter of the vulnerable endpoint. Specifically, sending a crafted POST request to the endpoint /cgi-bin/luci/admin/telephony/trigger_set_radio_on_with_ia with a malicious ia parameter can confirm the presence of the vulnerability.

  • Send a POST request with the payload ia="any_ia"; touch /tmp/RADIO_IA_VULN_PROVED; # to the URL /cgi-bin/luci/admin/telephony/trigger_set_radio_on_with_ia.
  • Check if the file /tmp/RADIO_IA_VULN_PROVED is created on the device, which indicates successful command injection.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-38063. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart