External risk intelligence

Tenda 5G03 Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38060

A critical command injection vulnerability exists in Tenda 5G03 routers. Attackers can execute arbitrary commands, potentially compromising the device and network. This is concerning as these routers are often internet-facing gateways.

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-38060

The product is a 5G router, which is commonly deployed as an internet-facing gateway or edge device. The vulnerable function involves SIM management, a core feature of such network appliances, making it often reachable via the device's management interface or web portal.

PCI scan relevance

PCI Relevance for CVE-2026-38060

Yes

CVE-2026-38060 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Command injection in Tenda 5G03 allows unauthenticated remote attackers to execute arbitrary commands, posing a significant risk that would likely cause a PCI ASV scan to fail.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical command injection vulnerability affecting Tenda 5G routers. The flaw allows unauthenticated attackers to execute arbitrary commands on the device, potentially leading to a complete compromise of the network infrastructure and sensitive data. Given the common deployment of these routers as internet-facing gateways, the exposure is significant.

Attackers can run commands on routers.
Routers are internet-facing gateways.
Confirm relevance and exposure.

Attack Path

How an attacker could exploit the issue

An attacker could reach the vulnerable component by sending a specially crafted request to the device's web interface, likely targeting the SIM management feature. This could allow them to execute arbitrary commands on the device, potentially leading to a complete compromise.

Vulnerable to unauthenticated network access.
Command injection via the `pin` parameter.
Full device compromise.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary commands on the affected device through a vulnerable function related to SIM card management. This could occur when the device's management interface or web portal is accessible.

Device commands and configuration.
Network access to the device.
Compromise of device integrity.

Operational Fix

Recommended remediation, mitigation, and detection steps

The vulnerability in Tenda 5G03 routers likely falls under the purview of network infrastructure or security teams responsible for managing edge devices and internet-facing hardware. The first practical step is to identify all instances of this specific router model within your environment, confirm its exposure to external networks, and determine its business criticality to prioritize remediation efforts. This will help in assigning ownership and planning a coordinated response.

Network or security team ownership.
Verify external reachability and criticality.
Plan vendor engagement for remediation.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Tenda 5G03 device?

The Tenda 5G03 is a 5G router designed to provide high-speed cellular internet connectivity. It functions as a gateway or edge device, managing network traffic for connected users and devices. Because it handles core networking tasks like SIM card management and web-based administration, it acts as a central control point for the local network's connection to the internet.

What does command injection mean for CVE-2026-38060?

This vulnerability is a form of Command Injection (CWE-78). It means the router fails to properly sanitize input before processing it. An attacker can supply malicious instructions disguised as data—specifically through the 'pin' parameter—which the device then inadvertently executes as system commands. This grants the attacker unauthorized control over the router's underlying operating system.

How can an attacker trigger this vulnerability?

An attacker triggers this flaw by sending a specifically crafted request to the router's web interface, targeting the SIM card unlocking function. The vulnerability requires no authentication, meaning the attacker does not need a username or password to initiate the attack. However, the command will not trigger if the web portal is inaccessible to the attacker or if the management interface has been disabled.

Is my Tenda 5G03 at risk?

According to Halo Surface Signal, this device is frequently deployed as an internet-facing gateway, which increases the likelihood that it is reachable by unauthorized parties. If your router's management interface is accessible from the public internet, it faces a higher risk of being targeted by this flaw. You should evaluate how your routers are positioned in your network to determine if they are exposed.

What should I do if I use this router?

Start by creating an inventory of all Tenda 5G03 devices in your network to determine where they are deployed. Prioritize verifying whether these devices are reachable from the public internet. If they are, restrict access to the management interface as an immediate precaution while you monitor for official vendor updates or guidance on how to secure the affected SIM management feature.

References

github.com/sezangel/IOT-vul/tree/main/Tenda/5G03/action_unlock_sim

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.