Description
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.
Published: 2026-06-15
Score: 9.8 Critical
EPSS: 1.0% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Tenda 5G03 routers running firmware V05.03.02.04 (Version 1.0) contain a command‑injection vulnerability in the action_radio_on_with_ia_apn function. The flaw allows an adversary to inject arbitrary shell commands through the ia parameter, causing the operating system to execute those commands. Because the affected function is mapped to CWE‑78, the impact is remote command execution that can compromise the entire device, exposing confidentiality, integrity, and availability.

Affected Systems

Products affected are Tenda 5G03 routers with firmware V05.03.02.04 (Version 1.0). No other vendors or versions are documented in the CVE entry.

Risk and Exploitability

The CVSS score of 9.8 indicates a high potential for exploitation, and the EPSS score of 1% shows a low probability of widespread attacks at this time. The lack of a KEV listing does not reduce the inherent risk for exposed devices. Based on the description, it is inferred that the action_radio_on_with_ia_apn function is reachable through an HTTP request, and that an attacker can deliver malicious input via the ia parameter without requiring authentication. Exploiting the flaw would allow the attacker to run arbitrary operating‑system commands with router privileges, potentially leading to full device compromise.

Generated by OpenCVE AI on June 18, 2026 at 01:41 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the router to the latest firmware version from Tenda that contains a fix for the command‑injection flaw.
  • If firmware upgrading is delayed, block or disable the action_radio_on_with_ia_apn endpoint, or restrict it to trusted IP addresses by applying firewall or ACL rules.
  • Segregate the router’s management interface onto a dedicated network segment and limit access to authorized management hosts, while monitoring logs for suspicious activity.

Generated by OpenCVE AI on June 18, 2026 at 01:41 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Tenda
Tenda 5g03
Vendors & Products Tenda
Tenda 5g03

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Command Injection in Tenda 5G03 action_radio_on_with_ia_apn Function

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Command Injection in Tenda 5G03 action_radio_on_with_ia_apn Function

Tue, 16 Jun 2026 18:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-78
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T17:12:56.205Z

Reserved: 2026-04-06T00:00:00.000Z

Link: CVE-2026-38063

cve-icon Vulnrichment

Updated: 2026-06-16T16:20:15.452Z

cve-icon NVD

Status : Deferred

Published: 2026-06-15T20:16:26.687

Modified: 2026-06-16T19:16:36.463

Link: CVE-2026-38063

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:47Z

Weaknesses
  • CWE-78

    Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')