Impact
The vulnerability is a command injection flaw (CWE‑78) in the action_set_volume function of the Tenda 5G03 router. The volume parameter is improperly sanitized, allowing an attacker who can reach this endpoint to inject arbitrary shell commands. If executed, the commands run with the router’s privileges, giving an attacker control over the device and any networks connected to it, as the flaw permits full remote code execution.
Affected Systems
The vulnerability affects Tenda 5G03 routers running firmware V05.03.02.04 (Version 1.0). No other vendors or products are listed as affected.
Risk and Exploitability
The CVSS score of 9.8 signals a critical severity. The EPSS score of 1% indicates a low likelihood of exploitation currently, but the high impact warrants attention. The flaw is not listed in the CISA KEV catalog. Based on the description, the vulnerable function appears reachable through the router’s web or API interface, but the exact attack vector is not directly specified, so this inference suggests remote exploitation via a web endpoint that accepts the volume parameter.
OpenCVE Enrichment