External risk intelligence

Tenda 5G03 Command Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-38065

A command injection vulnerability exists in Tenda 5G03 routers within the action_ims_on_with_apn function. If reachable, an unauthenticated attacker could inject commands by manipulating the ims_apn parameter. This could lead to a compromise of the device. The affected technology is a network edge gateway, making it a

5Halo Surface Signal

OS Command Injection

External exposure likelihood

Halo Surface Signal score for CVE-2026-38065

The affected product is a 5G router, which is designed to serve as an internet edge gateway. Such devices are public-facing by design in normal deployment, acting as the bridge between the public internet and the internal network.

PCI scan relevance

PCI Relevance for CVE-2026-38065

Yes

CVE-2026-38065 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

Command injection vulnerabilities, like this one in Tenda 5G03, are a PCI ASV automatic fail class, regardless of CVSS score, as they can allow attackers to execute arbitrary commands.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

This advisory concerns a critical vulnerability in Tenda 5G03 routers, specifically related to command injection. The issue allows for unauthorized control over the device through a network connection. The main concern is confirming the relevance and exposure of this technology within your infrastructure.

  • Unauthenticated remote attackers can inject commands.
  • Matters because network edge devices are prime targets.
  • Assess if Tenda 5G03 routers are in use.

Attack Path

How an attacker could exploit the issue

An attacker can exploit this vulnerability by sending a specially crafted request to the router's web interface. This request would target the `action_ims_on_with_apn` function and abuse the `ims_apn` parameter to inject malicious commands. Successfully executing these commands could allow an attacker to gain high privileges on the device, potentially leading to unauthorized access and control.

  • No authentication or user interaction needed.
  • Triggered via a web request with a malicious parameter.
  • Allows full device compromise.

Live Threat

Current exploitation, exposure, and threat context

A command injection vulnerability in the `action_ims_on_with_apn` function, when triggered via the `ims_apn` parameter, could allow an unauthenticated attacker to execute arbitrary commands on the affected device. This could impact the device's behavior and potentially expose system data.

  • System data and device control at risk.
  • Exploited remotely via a specific parameter.
  • Compromised device behavior and potential data exposure.

Operational Fix

Recommended remediation, mitigation, and detection steps

This critical command injection vulnerability in Tenda 5G03 routers requires immediate attention from the infrastructure or network security team responsible for managing edge devices. The first practical step is to identify all deployed instances of this router, determine their internet reachability and business criticality, and then coordinate with the vendor for a permanent fix.

  • Network/Infrastructure teams own the issue.
  • Verify router deployment and internet exposure.
  • Plan vendor coordination and remediation.

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Free EASM Trial See How Signal Works

Frequently asked questions

What is the Tenda 5G03 device affected by CVE-2026-38065?

The Tenda 5G03 is a 5G wireless router designed to provide high-speed cellular internet connectivity for homes and offices. It acts as a gateway that manages network traffic between a 5G mobile network and your local connected devices, such as laptops, smartphones, and smart home appliances.

What does command injection mean for this CVE?

This vulnerability is classified as CWE-78, which refers to OS Command Injection. It means an attacker can provide specially crafted input to the router that the system mistakenly executes as a direct system command. Instead of processing data as intended, the device runs unauthorized instructions, potentially allowing an attacker to take full control of the router's operating system.

How can an attacker trigger this vulnerability?

The vulnerability is triggered by sending malicious data to the ims_apn parameter within the action_ims_on_with_apn function. The flaw requires direct interaction with this specific network function. Simply browsing the web or connecting legitimate devices to the router's Wi-Fi network will not trigger this bug; it requires a deliberate, structured attempt to inject code into that specific management parameter.

Why is this CVE considered relevant for my network?

According to Halo Surface Signal, the Tenda 5G03 is designed as an internet edge gateway, meaning it typically sits directly between the public internet and your internal network. Because the vulnerability is accessible over the network without requiring user authentication, devices exposed directly to the internet are at a higher risk of being reached by external actors.

What are the first steps I should take if I use this router?

If you are running this model, prioritize checking the official Tenda support website for any available firmware updates. Since this involves a critical command injection flaw, applying the latest security patches provided by the manufacturer is the primary way to fix the underlying issue. If no update is currently available, consider restricting remote management access to the router’s configuration interface.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified