CVE-2026-38062
Description
Tenda 5G03 V05.03.02.04 is vulnerable to command injection in the action_set_rat_mode function via the ratMode parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda 5G03 V05.03.02.04 is vulnerable to command injection in the action_set_rat_mode function via the ratMode parameter.
Vulnerability
In Tenda 5G03 firmware version V05.03.02.04 (Version 1.0), the action_set_rat_mode function in /usr/lib/lua/luci/controller/admin/telephony.lua processes the ratMode parameter without input validation. The parameter is passed unsanitized into a string.format call that builds a command for mipc_wan_cli --nw_set_rat, enabling command injection [1].
Exploitation
An attacker must have network access to the device's LAN interface (typically at 192.168.1.1) and a valid session cookie (sysauth) to authenticate. The exploit sends an HTTP POST request to /cgi-bin/luci/admin/telephony/trigger_set_nw_rat with Set=1 and a crafted ratMode value that closes the double quote, appends an arbitrary command, and comments out the rest (e.g., 4G"; touch /tmp/RAT_MODE_VULN_PROVED; #) [1]. The command executes with root privileges.
Impact
Successful exploitation allows arbitrary command execution as root, leading to full compromise of the device. An attacker can read or modify sensitive data, install malware, or disrupt network services. No prior privilege escalation is required because the vulnerable process runs with elevated permissions [1].
Mitigation
As of the publication date, no official patch has been released by Tenda [1]. Users should restrict network access to the management interface (e.g., disable remote management, apply firewall rules, or isolate the device on a VLAN). Monitor for firmware updates from Tenda's website; if none are available, consider replacing the device or applying network segmentation.
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the ratMode parameter allows shell metacharacter injection in a command string built with string.format()."
Attack vector
An unauthenticated or authenticated attacker sends a POST request to `/cgi-bin/luci/admin/telephony/trigger_set_nw_rat` with a crafted `ratMode` parameter. By injecting a double-quote character to break out of the string argument, followed by a semicolon and arbitrary shell commands, the attacker achieves command injection [ref_id=1]. The PoC uses `4G"; touch /tmp/RAT_MODE_VULN_PROVED; #` to demonstrate the injection.
Affected code
The vulnerability resides in `/usr/lib/lua/luci/controller/admin/telephony.lua` in the function `action_set_rat_mode`. The function passes the user-supplied `ratMode` parameter directly into a `string.format()` call that builds a shell command without any sanitization or validation [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory [ref_id=1] states that the function `action_set_rat_mode` handles the `ratMode` parameter without checking it. A proper fix would require validating or sanitizing the `ratMode` input before passing it to `string.format("mipc_wan_cli --nw_set_rat \"%s\"", ratMode)`, for example by rejecting characters such as `"`, `;`, and `#` that allow shell metacharacter injection.
Preconditions
- networkThe attacker must be able to send HTTP POST requests to the device's web interface (typically on port 80 or 443).
- authA valid session cookie (sysauth) may be required depending on the device's authentication configuration.
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.