CVE-2026-38061
Description
Command injection in Tenda 5G03 router's action_set_volume function allows authenticated remote attackers to execute arbitrary commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Command injection in Tenda 5G03 router's action_set_volume function allows authenticated remote attackers to execute arbitrary commands.
Vulnerability
The Tenda 5G03 router running firmware version V05.03.02.04 (Version 1.0) contains a command injection vulnerability in the function action_set_volume located in /usr/lib/lua/luci/controller/admin/telephony.lua. The volume parameter is passed to a system command without proper sanitization, allowing an attacker to inject arbitrary OS commands. The vulnerable endpoint is /cgi-bin/luci/admin/telephony/trigger_call_set_volume [1].
Exploitation
An attacker must have network access to the router's LAN interface and possess a valid session cookie (sysauth) to authenticate with the web interface. The attack is performed by sending a POST request to the vulnerable endpoint with a crafted volume parameter containing a command injection payload, such as 1; touch /tmp/VOLUME_VULN_PROVED; #. The injected command is executed with the privileges of the web server (typically root) [1].
Impact
Successful exploitation allows an authenticated remote attacker to execute arbitrary commands on the device with root privileges. This can lead to full compromise of the router, including information disclosure, modification of configuration, denial of service, or use as a pivot point for further attacks on the internal network.
Mitigation
As of the publication date, no official firmware update has been released by Tenda to address this vulnerability. Users should restrict access to the management interface to trusted networks only, use strong administrative credentials, and disable remote management if not required. The vulnerability is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the `volume` parameter in the `action_set_volume` function allows command injection."
Attack vector
An attacker sends a crafted POST request to `/cgi-bin/luci/admin/telephony/trigger_call_set_volume` with a `volume` parameter containing a command injection payload (e.g., `1; touch /tmp/VOLUME_VULN_PROVED; #`). The attacker must possess a valid `sysauth` session cookie to authenticate the request. The lack of input validation in the `action_set_volume` function causes the injected commands to be executed on the device. [ref_id=1]
Affected code
The vulnerable function `action_set_volume` is located in `/usr/lib/lua/luci/controller/admin/telephony.lua`. It handles the `volume` parameter without any sanitization or validation, allowing an attacker to inject arbitrary shell commands. [ref_id=1]
What the fix does
The advisory does not include a patch or vendor fix. The recommended remediation is to sanitize and validate the `volume` parameter in the `action_set_volume` function before passing it to any shell command, preventing command injection. [ref_id=1]
Preconditions
- authThe attacker must have a valid sysauth session cookie to authenticate with the router's web interface.
- configThe target device must be running Tenda 5G03 firmware version V05.03.02.04 (Version 1.0).
- networkThe attacker must have network access to the router's web interface (typically on port 80/443).
- inputThe attacker sends a crafted POST request with a malicious volume parameter containing shell metacharacters.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.