Description
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This vulnerability exists in Tenda 5G03 routers running firmware V05.03.02.04 (Version 1.0). The action_set_volume function fails to properly sanitize the volume parameter, allowing an attacker to inject arbitrary shell commands. If an attacker can reach this endpoint, they can execute commands with the privileges of the router process, potentially compromising the entire device and any connected networks.

Affected Systems

Tenda 5G03 router, firmware V05.03.02.04 (Version 1.0). No other vendors or product versions are listed as affected in the CNA data.

Risk and Exploitability

The CVSS score of 9.8 reflects the severity of this vulnerability. The EPSS score of less than 1% indicates a low probability of exploitation in the wild, although the high impact justifies immediate attention. This vulnerability is not listed in CISA KEV. The likely attack vector is remote command execution through the router’s web or API interface, as the vulnerable function is exposed and the parameter is uncontrolled.

Generated by OpenCVE AI on June 17, 2026 at 00:13 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update from Tenda that addresses command injection in the action_set_volume endpoint.
  • Restrict access to the router’s management interface by implementing firewall rules or disabling ports that expose the vulnerable function.
  • Segment the network so that only trusted devices can reach the router’s administrative network.
  • If a patch is not available, consider disabling or blocking the volume control feature to eliminate the attack surface.

Generated by OpenCVE AI on June 17, 2026 at 00:13 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Command Injection via Volume Parameter in Tenda 5G03 Router

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T17:13:08.217Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38061

cve-icon Vulnrichment

Updated: 2026-06-16T16:44:06.840Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:26.483

Modified: 2026-06-16T19:16:36.153

Link: CVE-2026-38061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-17T00:15:16Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')