Impact
The Tenda 5G03 router running firmware V05.03.02.04 (Version 1.0) contains a command injection flaw in the action_ims_on_with_apn function, which processes the ims_apn parameter. This vulnerability (CWE‑78) allows an attacker to embed arbitrary shell commands within the parameter value, causing those commands to execute on the device’s operating system with the privileges of the firmware process. The primary consequence is a full compromise of the device’s confidentiality, integrity, and availability, enabling the attacker to exfiltrate data, modify configurations, or use the device as a pivot for further attacks.
Affected Systems
Only Tenda brand 5G03 routers that run the specific firmware build V05.03.02.04 (Version 1.0) are affected. No other vendors or products are listed in the CNA data, so the impact is confined to this single product line.
Risk and Exploitability
The CVSS score of 9.8 indicates a critical severity. The EPSS score of less than 1% suggests that, at present, the likelihood of exploitation is low, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the ims_apn parameter is exposed via an HTTP request; therefore an attacker who can reach the device over the network—whether locally or from the internet—can exploit the flaw without authentication. If the device is exposed to untrusted networks or hosts, the risk is significant, and a firmware update or other mitigation is required.
OpenCVE Enrichment