Tenda 5G03: Six Command-Injection CVEs Disclosed in a Single Firmware Batch
Six command-injection vulnerabilities disclosed together in the Tenda 5G03 cellular router, all in firmware V05.03.02.04, with no patch yet available.
Key findings
- Six command-injection CVEs disclosed together for Tenda 5G03 firmware V05.03.02.04
- All six flaws are OS command injection (CWE-78) in different web management functions
- No patch available as of disclosure; vendor has not yet released a fixed firmware
- Vulnerable functions span SIM unlock, dialing, radio mode, volume, and APN settings
- Systemic input-validation gap across the entire CGI interface, not isolated bugs
On June 15, 2026, six command-injection vulnerabilities were disclosed together affecting the Tenda 5G03 cellular router, firmware version V05.03.02.04. All six CVEs share the same root cause — unsanitized user input passed to system-level commands in the device's web management interface — making this a concentrated batch of flaws that could allow an unauthenticated attacker to execute arbitrary operating-system commands on the router.
The six CVEs each target a different handler function in the router's CGI interface. CVE-2026-38065 resides in the action_ims_on_with_apn function, where the ims_apn parameter is injected directly into a command string. CVE-2026-38064 exploits the action_dial_call function through the dialNumber parameter. CVE-2026-38063 affects action_radio_on_with_ia_apn via the ia parameter. CVE-2026-38062 targets action_set_rat_mode through the ratMode parameter. CVE-2026-38061 leverages action_set_volume via the volume parameter. Finally, CVE-2026-38060 exploits action_unlock_sim through the pin parameter.
All six vulnerabilities are classified as OS command injection (CWE-78). Because the Tenda 5G03 is a 5G cellular router typically deployed at network edges — in branch offices, remote sites, or as a primary WAN uplink — successful exploitation could give an attacker full control over the device, including the ability to intercept or redirect traffic, pivot into internal networks, or disrupt connectivity.
As of the disclosure date, Tenda has not released a patched firmware version. Users of the 5G03 running V05.03.02.04 (Version 1.0) are advised to restrict administrative access to the web interface to trusted IP addresses only, disable remote management if not required, and monitor the vendor's support portal for a firmware update. No evidence of in-the-wild exploitation has been reported at the time of publication.
The batch is notable for its uniformity: every CVE is a command injection in the same firmware version, and the vulnerable functions span a wide range of device operations — from SIM unlocking and dialing to radio-mode switching and volume control. This suggests a systemic lack of input validation across the entire web management stack rather than isolated coding mistakes. Until a patch arrives, the Tenda 5G03 remains exposed to a family of attacks that require only network access to the device's management interface.