Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-38062

CVE-2026-38062: Tenda 5G03 Command Injection Vulnerability

CVE-2026-38062 is a command injection vulnerability in Tenda 5G03 router affecting the action_set_rat_mode function. Attackers can exploit the ratMode parameter to execute arbitrary commands. This article covers technical details, affected versions, impact assessment, and mitigation strategies.

Published:

CVE-2026-38062 Overview

CVE-2026-38062 is a command injection vulnerability [CWE-78] affecting the Tenda 5G03 router running firmware version V05.03.02.04 (Version 1.0). The flaw resides in the action_set_rat_mode function, which fails to sanitize the ratMode parameter before passing it to a system shell. Remote attackers can inject arbitrary operating system commands over the network without authentication. Successful exploitation grants execution in the context of the router's web service, typically root on embedded Linux devices. The vulnerability is tracked in a public GitHub proof-of-concept repository.

Critical Impact

Unauthenticated remote attackers can execute arbitrary OS commands on affected Tenda 5G03 routers, leading to full device compromise.

Affected Products

  • Tenda 5G03 router firmware V05.03.02.04 (Version 1.0)

Discovery Timeline

  • 2026-06-15 - CVE-2026-38062 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-38062

Vulnerability Analysis

The vulnerability is an OS command injection [CWE-78] within the router's HTTP management interface. The action_set_rat_mode handler accepts a user-supplied ratMode parameter intended to configure the radio access technology mode. Instead of validating or escaping the input, the handler concatenates the parameter into a shell command string that is dispatched to the underlying system. An attacker who supplies shell metacharacters such as ;, |, &&, or backticks within ratMode can break out of the intended command and execute arbitrary binaries on the device.

Because the management web service on embedded Tenda devices typically runs with elevated privileges, successful injection results in full device takeover. Attackers can pivot into the internal network, intercept traffic, modify DNS settings, or enroll the device into a botnet. The flaw is reachable over the network and requires no authentication or user interaction.

Root Cause

The root cause is missing input validation and unsafe construction of shell command strings in the action_set_rat_mode function. User-controllable HTTP parameters are passed directly to a shell interpreter rather than being processed through a parameterized API or strict allowlist.

Attack Vector

Exploitation is performed by sending a crafted HTTP request to the router's management interface containing a malicious ratMode value. Technical details and reproduction steps are published in the GitHub PoC Repository. Devices exposing the management interface to untrusted networks face the highest risk.

Detection Methods for CVE-2026-38062

Indicators of Compromise

  • HTTP POST requests targeting the action_set_rat_mode endpoint containing shell metacharacters (;, |, &, `, $()) in the ratMode parameter.
  • Unexpected outbound connections originating from the router to attacker-controlled hosts after configuration requests.
  • New or modified processes on the device such as telnetd, nc, wget, or tftp invocations.
  • Unauthorized changes to DNS, firewall, or administrative credentials following remote configuration calls.

Detection Strategies

  • Deploy network IDS/IPS signatures that flag HTTP requests to router management URIs containing shell metacharacters in ratMode or similar configuration parameters.
  • Inspect router system logs (where exposed via syslog) for anomalous command execution or web handler errors tied to RAT mode changes.
  • Use network behavior analytics to identify routers initiating outbound traffic to non-vendor infrastructure.

Monitoring Recommendations

  • Forward router syslog and management-plane traffic to a centralized log platform for correlation against known exploitation patterns.
  • Monitor egress traffic from network gateway devices for unexpected protocols such as IRC, TOR, or unauthorized SSH.
  • Alert on configuration changes to RAT mode or radio settings outside of approved change windows.

How to Mitigate CVE-2026-38062

Immediate Actions Required

  • Restrict access to the router's management interface to trusted internal networks only and disable any WAN-side administration.
  • Audit Tenda 5G03 devices for firmware version V05.03.02.04 and inventory exposure of their HTTP management ports.
  • Rotate administrative credentials on affected devices and review recent configuration changes for tampering.
  • Segment IoT and consumer-grade routers from sensitive production networks.

Patch Information

No vendor patch is referenced in the NVD entry at the time of publication. Operators should monitor the Tenda product security page for firmware updates addressing the action_set_rat_mode handler and apply them once released.

Workarounds

  • Disable remote management on the WAN interface and require VPN access for administrative tasks.
  • Place affected devices behind an upstream firewall that filters inbound HTTP requests to router management URIs.
  • Replace the device with a supported model if no patch is published within an acceptable risk window.
  • Apply ACLs or upstream WAF rules that reject requests containing shell metacharacters in router configuration parameters.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne