CVE-2026-38063

Vulnerability

The vulnerability exists in the Tenda 5G03 router firmware version V05.03.02.04 (Version 1.0). In the file /usr/lib/lua/luci/controller/admin/telephony.lua, the function action_radio_on_with_ia_apn processes the ia parameter without any sanitization. An attacker can inject arbitrary operating system commands through this parameter, leading to command injection. The web interface (Luci) exposes this endpoint, making it reachable over the network [1].

Exploitation

An attacker must have network access to the device's web interface (typically at http://192.168.1.1/) and possess a valid session cookie (sysauth). The attack sends a POST request to /cgi-bin/luci/admin/telephony/trigger_set_radio_on_with_ia with the crafted ia parameter. For example, injecting any_ia\"; touch /tmp/RADIO_IA_VULN_PROVED; # executes the touch command as root. The PoC code provided in the reference demonstrates the exact request structure: setting ia_apn to 1 and ia to the malicious payload [1].

Impact

Successful exploitation allows arbitrary command execution with root privileges, as the Luci controller runs with elevated permissions. The attacker can perform any system-level action, such as modifying configuration, exfiltrating data, installing malware, or pivoting to other network resources. This results in full compromise of the device's confidentiality, integrity, and availability [1].

Mitigation

As of the publication date, no official fixed firmware version has been announced by Tenda. Users should monitor the vendor's download page (https://www.tenda.com.cn/material/show/4058) for updates. In the interim, restrict network access to the web interface (e.g., via firewall rules), change default credentials, and disable remote management if not required. This vulnerability is not listed in the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing [1].