External risk intelligence

Tenda 5G03 Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38064

A command injection vulnerability exists in Tenda 5G03 devices, allowing unauthenticated attackers to execute arbitrary commands remotely. This could lead to device compromise, affecting system data and service behavior. Verifying the presence and network exposure of these devices is crucial.

5Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-38064

The product is a 5G router/gateway device. Such networking appliances are designed to operate at the network edge to provide internet connectivity, making their management interfaces and services inherently public-facing or easily reachable from the internet in standard deployment scenarios.

PCI scan relevance

PCI Relevance for CVE-2026-38064

Yes

CVE-2026-38064 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

A command injection vulnerability in Tenda 5G03 could lead to a critical finding during a PCI ASV scan, likely requiring remediation before a passing attestation.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability found in Tenda 5G03 devices, specifically related to a command injection flaw in a network-facing function. Exploitation of this vulnerability could allow an attacker to execute arbitrary commands on the affected devices, potentially leading to significant disruption or unauthorized access to network resources. The main concern is confirming if this type of device is in use and its exposure.

Flaw lets attackers run commands on routers.
Critical vulnerability in widely deployed networking devices.
Verify device presence and network exposure.

Attack Path

How an attacker could exploit the issue

An attacker can remotely send a specially crafted request to a vulnerable Tenda router, targeting the `action_dial_call` function. By manipulating the `dialNumber` parameter, they can inject and execute arbitrary commands on the device, potentially leading to a complete compromise of the router.

No authentication or user interaction needed.
Sending a malicious `dialNumber` parameter.
Full device compromise and control.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to execute arbitrary commands on the affected device by sending a specially crafted request to the `action_dial_call` function. When supported by the advisory, this could affect system data and service behavior.

Device system data and configuration.
Via a network request to the device.
Unauthorized command execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The command injection vulnerability in Tenda 5G03 firmware requires immediate attention from network and security teams. The first practical step is to identify all instances of this specific device, confirm their exposure to the internet or business criticality, and then assign ownership for remediation based on the risk assessment.

Network and security teams own this.
Verify device exposure and criticality.
Plan and coordinate remediation efforts.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Tenda 5G03 device affected by CVE-2026-38064?

The Tenda 5G03 is a 5G router and gateway designed to bridge cellular data connections to local networks. These devices act as critical networking appliances, sitting at the network edge to provide internet connectivity to homes or offices. Because they manage incoming and outgoing traffic, they are foundational infrastructure for any connected environment using this specific hardware.

How does this command injection vulnerability work?

This vulnerability is classified as CWE-78, which refers to improper neutralization of special elements used in an OS command. In simple terms, the software fails to properly filter input. Because the device doesn't sanitize the 'dialNumber' parameter, an attacker can input extra characters that the router mistakenly treats as system commands, granting them unauthorized control over the device.

Do I need to be logged into the router for this to be triggered?

No, this vulnerability does not require authentication or any interaction from a user. An attacker can trigger the flaw remotely by sending a specifically crafted request to the 'action_dial_call' function. Simply navigating the web interface or performing standard administrative tasks does not trigger this; the issue specifically arises from malicious external inputs directed at that function.

Why is the Tenda 5G03 considered internet-facing in this context?

Halo Surface Signal indicates that because the Tenda 5G03 is a 5G gateway, it is designed for deployment at the network edge. Such devices often have management services that are reachable from the internet by design, which increases the likelihood that a remote attacker can reach the vulnerable function without needing to be physically present on your local network.

What are the first steps to handle CVE-2026-38064?

Start by identifying every Tenda 5G03 device in your network environment. Once you have a list of active hardware, verify whether these devices are accessible from the internet or if they serve critical business functions. After determining which devices are in use and their connectivity state, assign ownership to your technical team to prioritize and coordinate the necessary remediation steps.

References

github.com/sezangel/IOT-vul/tree/main/Tenda/5G03/action_dial_call

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.