Description
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a command injection flaw (CWE‑78) in the action_set_volume function of the Tenda 5G03 router. The volume parameter is improperly sanitized, allowing an attacker who can reach this endpoint to inject arbitrary shell commands. If executed, the commands run with the router’s privileges, giving an attacker control over the device and any networks connected to it, as the flaw permits full remote code execution.

Affected Systems

The vulnerability affects Tenda 5G03 routers running firmware V05.03.02.04 (Version 1.0). No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 9.8 signals a critical severity. The EPSS score of 1% indicates a low likelihood of exploitation currently, but the high impact warrants attention. The flaw is not listed in the CISA KEV catalog. Based on the description, the vulnerable function appears reachable through the router’s web or API interface, but the exact attack vector is not directly specified, so this inference suggests remote exploitation via a web endpoint that accepts the volume parameter.

Generated by OpenCVE AI on June 18, 2026 at 03:39 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any firmware update that addresses the command injection in the action_set_volume endpoint.
  • Restrict access to the router’s management interface by configuring firewall rules or disabling exposed ports.
  • Segment the network so that only trusted devices and administrators can reach the router’s administrative network.
  • If a patch is unavailable, block or disable the volume control feature to remove the attack surface.

Generated by OpenCVE AI on June 18, 2026 at 03:39 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 19 Jun 2026 09:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda 5g03
Vendors & Products Tenda
Tenda 5g03

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Command Injection via Volume Parameter in Tenda 5G03 Router

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Command Injection via Volume Parameter in Tenda 5G03 Router

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T17:13:08.217Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38061

cve-icon Vulnrichment

Updated: 2026-06-16T16:44:06.840Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:26.483

Modified: 2026-06-16T19:16:36.153

Link: CVE-2026-38061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-19T09:36:07Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')