External risk intelligence

Tenda 5G03 Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38063

A command injection vulnerability exists in Tenda 5G03 routers, allowing unauthenticated attackers to execute arbitrary commands over the network by manipulating a specific function's parameter. This could compromise the device's integrity and the security of the network it manages.

4Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-38063

The product is a 5G router, which is typically deployed as an internet-facing gateway or edge device. The vulnerability involves a command injection point in a radio configuration function that is often accessible via the device's web management interface, which is commonly exposed to the network in standard home or small office deployments.

PCI scan relevance

PCI Relevance for CVE-2026-38063

Yes

CVE-2026-38063 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows for remote code execution through command injection. Such vulnerabilities are a known cause of ASV scan failures for PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Tenda 5G03 routers related to command injection, which could allow unauthenticated attackers to execute arbitrary commands on affected devices via a specific function. Given the nature of the affected technology, it's important to confirm if this specific product is deployed within the organization's environment.

  • Commands can be run by attackers.
  • It impacts internet-facing devices.
  • Confirm if this router is used.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request over the network to a Tenda 5G03 router. This request targets the `action_radio_on_with_ia_apn` function, specifically manipulating the `ia` parameter to inject malicious commands. Successful exploitation allows an attacker to execute arbitrary commands on the affected device, potentially leading to complete system compromise.

  • Attacker needs network access.
  • Sends request to vulnerable function.
  • Allows arbitrary command execution.

Live Threat

Current exploitation, exposure, and threat context

The vulnerability in the Tenda 5G03 router's radio function could allow an unauthenticated attacker to inject and execute arbitrary commands over the network. This could potentially affect the device's operational integrity and the security of the network it manages.

  • Router command execution could be compromised.
  • Network access can trigger command injection.
  • Device functionality and network security at risk.

Operational Fix

Recommended remediation, mitigation, and detection steps

To address this command injection vulnerability in Tenda 5G03 routers, the primary responsibility likely falls to teams managing network edge devices or IoT deployments. The first critical step is to identify all instances of this specific Tenda router model within your environment. Confirm their network exposure and business criticality to prioritize remediation efforts and identify the accountable owner for these devices.

  • Network and IoT teams own the issue.
  • Verify router exposure and criticality.
  • Plan vendor coordination or replacement.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Tenda 5G03 router?

The Tenda 5G03 is a 5G wireless router designed to provide high-speed internet connectivity for homes and small offices. It acts as a gateway, managing traffic between the local network and the broader internet. Because it handles wireless 5G signals and connects internal devices to the web, it is typically positioned as an edge device within an IT or home infrastructure.

What does CVE-2026-38063 mean?

This CVE identifies a command injection vulnerability, classified as CWE-78. In plain English, this means the device fails to properly filter inputs, allowing someone to "inject" and run their own system commands. Because the vulnerability exists within the device's own software, an attacker can trick the router into executing instructions as if they were legitimate system processes, leading to total control over the device.

How is this command injection triggered?

An attacker triggers this by sending a specially crafted request to the router's network interface, specifically targeting the 'action_radio_on_with_ia_apn' function. By manipulating the 'ia' parameter in this request, they can force the router to run unauthorized commands. Importantly, simply browsing the internet or using the router's standard Wi-Fi does not trigger the bug; the attacker must intentionally send a malicious network request specifically formatted for this function.

Is my Tenda 5G03 device at risk?

If you are running the affected model, your risk depends on how it is deployed. According to Halo Surface Signal, this router is typically used as an internet-facing gateway, making it highly visible to the network. Devices that are directly connected to the internet are more easily reached by potential attackers compared to those protected behind additional firewalls or restricted to internal, private management segments.

What should I do if I use this router?

The first step is to perform an internal inventory to confirm if this specific model is in use in your environment. Once identified, evaluate whether the device is exposed to the internet or if its management interface is accessible remotely. Prioritize determining who manages these devices—such as your network or IoT support teams—to coordinate next steps, which may include restricting network access or checking for vendor-provided updates.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified