CVE-2026-5339 Overview
A command injection vulnerability has been identified in Tenda G103 router firmware version 1.0.0.5. The vulnerability exists within the action_set_net_settings function located in the gpon.lua file of the Setting Handler component. An attacker can exploit this flaw by manipulating multiple authentication and configuration parameters including authLoid, authLoidPassword, authPassword, authSerialNo, authType, oltType, usVlanId, and usVlanPriority to inject and execute arbitrary system commands. The exploit has been publicly disclosed and is currently available.
Critical Impact
Remote attackers with privileged access can execute arbitrary commands on the affected device, potentially compromising network security and enabling further attacks on connected systems.
Affected Products
- Tenda G103 firmware version 1.0.0.5
- Tenda G103 GPON routers running vulnerable firmware
Discovery Timeline
- April 2, 2026 - CVE-2026-5339 published to NVD
- April 2, 2026 - Last updated in NVD database
Technical Details for CVE-2026-5339
Vulnerability Analysis
This command injection vulnerability (CWE-74) affects the GPON configuration handler in Tenda G103 routers. The action_set_net_settings function in gpon.lua fails to properly sanitize user-supplied input before passing it to system shell commands. Multiple parameters related to GPON authentication and VLAN configuration are vulnerable to injection attacks.
The vulnerability can be exploited remotely over the network, though it requires privileged (administrative) access to the device. When successfully exploited, an attacker can execute arbitrary commands with the privileges of the web server process, typically root on embedded devices. This could lead to complete device compromise, including the ability to intercept network traffic, modify device configurations, install backdoors, or use the device as a pivot point for attacks on the internal network.
Root Cause
The root cause of this vulnerability is improper input validation and sanitization in the gpon.lua script's Setting Handler component. The action_set_net_settings function directly incorporates user-supplied values from HTTP request parameters into shell commands without adequate filtering or escaping. Specifically, the following parameters are vulnerable: authLoid, authLoidPassword, authPassword, authSerialNo, authType, oltType, usVlanId, and usVlanPriority. This allows specially crafted input containing shell metacharacters to break out of the intended command context and execute arbitrary commands.
Attack Vector
The attack is network-based and can be executed remotely against devices exposed to the network. An authenticated attacker with administrative privileges can send malicious HTTP requests to the device's web management interface. By injecting shell metacharacters such as semicolons, backticks, or command substitution syntax into the vulnerable parameters, the attacker can append or substitute arbitrary commands that will be executed by the underlying system.
The vulnerability affects GPON (Gigabit Passive Optical Network) settings, which are typically accessible through the router's administrative interface. Attackers can leverage this to gain persistent access, exfiltrate sensitive configuration data, or disable security features on the device.
Technical details and proof-of-concept information are available in the GitHub PoC Repository.
Detection Methods for CVE-2026-5339
Indicators of Compromise
- Unexpected outbound connections from Tenda G103 devices to external IP addresses
- Unusual processes running on the device that are not part of standard firmware
- Modifications to device configuration files or startup scripts
- HTTP requests to the GPON settings endpoint containing shell metacharacters (;, |, $(), backticks)
- Unexplained changes to authentication parameters or VLAN configurations
Detection Strategies
- Monitor network traffic for HTTP requests to /cgi-bin/gpon.lua or similar endpoints containing suspicious patterns in parameter values
- Implement web application firewall rules to detect command injection attempts in authentication-related parameters
- Review device access logs for unusual administrative login patterns or configuration changes
- Deploy network intrusion detection signatures targeting command injection payloads in Tenda device traffic
Monitoring Recommendations
- Enable comprehensive logging on network perimeter devices to capture traffic to and from Tenda G103 routers
- Implement network segmentation to isolate IoT and network devices from critical infrastructure
- Configure alerts for configuration changes on router devices outside of maintenance windows
- Regularly audit firmware versions across deployed Tenda devices to identify vulnerable instances
How to Mitigate CVE-2026-5339
Immediate Actions Required
- Restrict administrative access to Tenda G103 devices to trusted networks and IP addresses only
- Disable remote management interfaces if not strictly required
- Place affected devices behind a firewall that can filter malicious HTTP requests
- Monitor for any vendor firmware updates that address this vulnerability
- Consider replacing affected devices with alternatives if no patch becomes available
Patch Information
As of the last update on April 2, 2026, no official patch has been released by Tenda. Users should monitor the Tenda Official Website for security advisories and firmware updates. Additional vulnerability details are tracked at VulDB Vulnerability #354670.
Workarounds
- Implement strict access control lists (ACLs) to limit who can access the administrative interface
- Use a VPN to access router management rather than exposing the web interface directly
- Deploy a web application firewall in front of the device to filter command injection attempts
- Disable GPON settings modification through the web interface if possible
- Segment the network to minimize potential impact if the device is compromised
# Example: Restrict management interface access via iptables on upstream device
iptables -A FORWARD -d <TENDA_G103_IP> -p tcp --dport 80 -s <TRUSTED_ADMIN_IP> -j ACCEPT
iptables -A FORWARD -d <TENDA_G103_IP> -p tcp --dport 80 -j DROP
iptables -A FORWARD -d <TENDA_G103_IP> -p tcp --dport 443 -s <TRUSTED_ADMIN_IP> -j ACCEPT
iptables -A FORWARD -d <TENDA_G103_IP> -p tcp --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
