CVE-2026-38064
Description
A command injection vulnerability in Tenda 5G03 firmware V05.03.02.04 enables remote execution of arbitrary commands via the dialNumber parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A command injection vulnerability in Tenda 5G03 firmware V05.03.02.04 enables remote execution of arbitrary commands via the dialNumber parameter.
Vulnerability
The Tenda 5G03 router running firmware version V05.03.02.04 (Version 1.0) contains a command injection vulnerability in the function action_dial_call located in /usr/lib/lua/luci/controller/admin/telephony.lua. The dialNumber parameter is passed unsanitized to a system command, allowing injection of arbitrary shell commands [1].
Exploitation
An attacker with network access to the device can send a crafted POST request to /cgi-bin/luci/admin/telephony/trigger_call_dial_constant with a dialNumber parameter containing shell metacharacters. The reference PoC uses the payload 10086"; touch /tmp/DIAL_VULN_PROVED; # to create a file. The attack likely requires a valid session cookie (sysauth) to bypass authentication [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the device with root privileges. This can lead to full compromise of the router, including data exfiltration, installation of malware, or use as a pivot point for further attacks [1].
Mitigation
As of the CVE publication date (2026-06-15), no official patch has been released by Tenda. Users should monitor the vendor's website for firmware updates. Until a fix is available, restricting network access to the device's management interface and changing default credentials can reduce risk [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the dialNumber parameter in action_dial_call allows shell command injection."
Attack vector
An unauthenticated attacker (or one with a valid session cookie) sends a POST request to `/cgi-bin/luci/admin/telephony/trigger_call_dial_constant` with a crafted `dialNumber` value containing shell metacharacters. The PoC payload `10086"; touch /tmp/DIAL_VULN_PROVED; #` demonstrates command injection by closing the intended string and executing an arbitrary command. The `Dial` parameter is also required in the POST body. [ref_id=1]
Affected code
The vulnerability resides in `/usr/lib/lua/luci/controller/admin/telephony.lua` in the function `action_dial_call`. The function processes the `dialNumber` parameter without any sanitization or validation, allowing an attacker to inject arbitrary shell commands through that parameter.
What the fix does
No patch is provided in the bundle. The advisory states that the function `action_dial_call` handles the `dialNumber` parameter without checking it, which leads to command injection. To remediate, the vendor must sanitize or validate the `dialNumber` input, for example by escaping shell metacharacters or using a parameterized API instead of constructing shell commands from user input.
Preconditions
- networkThe attacker must be able to reach the vulnerable CGI endpoint on the device (default LAN IP 192.168.1.1).
- authA valid session cookie (`sysauth`) is required, as shown in the PoC.
Reproduction
Send a POST request to `http://192.168.1.1/cgi-bin/luci/admin/telephony/trigger_call_dial_constant` with cookies `{"sysauth": "session_id"}` and body `Dial=1&dialNumber=10086%22;%20touch%20/tmp/DIAL_VULN_PROVED;%20%23`. If successful, the file `/tmp/DIAL_VULN_PROVED` is created on the device. [ref_id=1]
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.