CVE-2026-38065
Description
Tenda 5G03 V05.03.02.04 is vulnerable to command injection in the action_ims_on_with_apn function via the ims_apn parameter.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Tenda 5G03 V05.03.02.04 is vulnerable to command injection in the action_ims_on_with_apn function via the ims_apn parameter.
Vulnerability
The Tenda 5G03 router running firmware version V05.03.02.04 (Version 1.0) contains a command injection vulnerability in the function action_ims_on_with_apn located in /usr/lib/lua/luci/controller/admin/telephony.lua. The ims_apn parameter is passed directly to a system command without sanitization, allowing arbitrary command execution. The affected endpoint is /cgi-bin/luci/admin/telephony/trigger_set_ims_on_with_apn [1].
Exploitation
An attacker with network access to the router and a valid session cookie (e.g., sysauth) can exploit this by sending a crafted POST request to the vulnerable endpoint. The request includes the parameters ims_cfg_on set to 1 and ims_apn containing the attacker's command prefixed with a semicolon. For example, the payload ;touch /tmp/CLTaint_VULN_PROVED; executes touch /tmp/CLTaint_VULN_PROVED on the device [1].
Impact
Successful exploitation allows an attacker to execute arbitrary commands on the router with root privileges, leading to full compromise of the device. This can result in unauthorized access, data exfiltration, or further network attacks [1].
Mitigation
As of the publication date (2026-06-15), no official patch has been released by Tenda. Users should monitor the vendor's website for firmware updates. Until a fix is available, restrict network access to the router's management interface and use strong authentication to limit exposure [1].
AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing input validation on the ims_apn parameter in action_ims_on_with_apn allows shell command injection."
Attack vector
An attacker sends a POST request to `/cgi-bin/luci/admin/telephony/trigger_set_ims_on_with_apn` with a valid session cookie (`sysauth`). The `ims_apn` parameter is passed unsanitized into a shell command, enabling command injection. The researcher's PoC uses a semicolon to terminate the intended command and inject `;touch /tmp/CLTaint_VULN_PROVED;` as a proof of compromise. [ref_id=1]
Affected code
The vulnerability resides in `/usr/lib/lua/luci/controller/admin/telephony.lua` in the function `action_ims_on_with_apn`. This function processes the `ims_apn` parameter without any sanitization or validation, allowing an attacker to inject arbitrary shell commands. [ref_id=1]
What the fix does
The advisory does not include a patch. To remediate, the `ims_apn` value must be sanitized or validated before being passed to any shell execution function (e.g., `os.execute` or `io.popen`). Input should be restricted to allowed characters (alphanumeric and a limited set of safe symbols) and shell metacharacters such as `;`, `|`, `` ` `` must be rejected or escaped. [ref_id=1]
Preconditions
- authAttacker must have a valid session cookie (sysauth) to authenticate with the router's web interface
- networkAttacker must be able to reach the router's web interface on the local network (default 192.168.1.1)
- inputThe ims_apn parameter is attacker-controlled and passed unsanitized to a shell command
Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.