CVE-2026-38060
Description
Command injection in Tenda 5G03 router firmware V05.03.02.04 via pin parameter in action_unlock_sim allows authenticated attackers to execute commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Tenda 5G03 router firmware V05.03.02.04 via pin parameter in action_unlock_sim allows authenticated attackers to execute commands.
Vulnerability
The vulnerability is a command injection in the Tenda 5G03 router firmware version V05.03.02.04 (Version 1.0). It resides in the function action_unlock_sim within /usr/lib/lua/luci/controller/admin/telephony.lua. The function does not sanitize the pin parameter, allowing injection of shell commands. The code path is reachable via the /cgi-bin/luci/admin/telephony/trigger_sim_unlock endpoint. Affected versions: V05.03.02.04 [1].
Exploitation
An attacker needs a valid session cookie (sysauth) to authenticate to the router's web interface. The attack is performed by sending a POST request to the trigger_sim_unlock endpoint with parameters unlock=1 and a crafted pin value containing shell metacharacters (e.g., "; command; #"). The pin parameter is passed unsanitized to a shell command, leading to execution of the injected commands. The proof-of-concept shows using '1234"; touch /tmp/UNLOCK_SIM_VULN_PROVED; #' as the pin [1].
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands on the router with the privileges of the web server (likely root). This can lead to full compromise of the device, including data exfiltration, installation of malware, or denial of service [1].
Mitigation
As of the disclosure date (March 2026), no official patch has been released by Tenda. The vendor may need to provide a firmware update that sanitizes the pin parameter. Users should restrict network access to the router's management interface and ensure strong session credentials. The vulnerability is not listed in CISA's KEV as of publication [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the pin parameter in action_unlock_sim allows shell command injection."
Attack vector
An attacker sends a crafted POST request to `/cgi-bin/luci/admin/telephony/trigger_sim_unlock` with a `pin` parameter containing shell metacharacters. The example payload `1234"; touch /tmp/UNLOCK_SIM_VULN_PROVED; #` demonstrates command injection. The attacker must have a valid `sysauth` session cookie to reach the vulnerable endpoint. [ref_id=1]
Affected code
The vulnerability resides in `/usr/lib/lua/luci/controller/admin/telephony.lua` within the function `action_unlock_sim`. This function processes the `pin` parameter without any sanitization or validation, allowing an attacker to inject arbitrary shell commands. [ref_id=1]
What the fix does
The advisory does not provide a patch. The recommended fix would be to sanitize or validate the `pin` parameter before passing it to any shell execution context, for example by rejecting or escaping shell metacharacters such as `;`, `"`, and `#`. [ref_id=1]
Preconditions
- authAttacker must possess a valid sysauth session cookie to authenticate with the router's web interface.
- networkThe vulnerable endpoint /cgi-bin/luci/admin/telephony/trigger_sim_unlock must be reachable over the network.
- inputThe pin parameter is passed unsanitized into a shell command, enabling injection of arbitrary commands.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.