Description
A vulnerability was detected in Tenda G103 1.0.0.5. The impacted element is the function action_set_net_settings of the file gpon.lua of the component Setting Handler. Performing a manipulation of the argument authLoid/authLoidPassword/authPassword/authSerialNo/authType/oltType/usVlanId/usVlanPriority results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: 5.7% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in the action_set_net_settings function of the gpon.lua script on the Tenda G103 router. Maliciously crafted values for parameters such as authLoid, authLoidPassword, authPassword, authSerialNo, authType, oltType, usVlanId, and usVlanPriority are incorporated directly into a system-level command without validation, creating a command injection flaw. Successful exploitation allows an attacker to run arbitrary commands on the device and could compromise the entire router.

Affected Systems

Firmware version 1.0.0.5 on the Tenda G103 model is affected. Devices deployed with this firmware and their current configuration are vulnerable until the firmware is corrected by the vendor.

Risk and Exploitability

The CVSS base score of 5.1 places the issue in the medium range, while an EPSS score of 6% indicates a modest probability of exploitation. The vulnerability is not listed in CISA KEV. The description states that the attack can be initiated remotely; based on typical router management interfaces, the likely attack vector is a network request sent to the device from an external or internal source, though the specific protocol (e.g., HTTP) is not explicitly disclosed in the CVE data.

Generated by OpenCVE AI on June 18, 2026 at 14:43 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware update released by Tenda that addresses the command injection flaw in gpon.lua.
  • If a patch is not yet available, block or disable remote management access from the WAN side to limit exposure to the vulnerable interface.
  • Enforce strong, unique administrator credentials and consider two‑factor authentication to reduce the risk of credential compromise.

Generated by OpenCVE AI on June 18, 2026 at 14:43 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:tenda:g103:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:g103_firmware:1.0.0.5:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda g103
Vendors & Products Tenda g103
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Thu, 02 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Tenda G103 1.0.0.5. The impacted element is the function action_set_net_settings of the file gpon.lua of the component Setting Handler. Performing a manipulation of the argument authLoid/authLoidPassword/authPassword/authSerialNo/authType/oltType/usVlanId/usVlanPriority results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title Tenda G103 Setting gpon.lua action_set_net_settings command injection
First Time appeared Tenda
Tenda g103 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:tenda:g103_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda g103 Firmware
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}


Subscriptions

Tenda G103 G103 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T15:55:52.097Z

Reserved: 2026-04-01T14:09:12.110Z

Link: CVE-2026-5339

cve-icon Vulnrichment

Updated: 2026-04-02T15:55:45.695Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:53.080

Modified: 2026-06-17T10:58:51.280

Link: CVE-2026-5339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-18T14:45:11Z

Weaknesses
  • CWE-74

    Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')

  • CWE-77

    Improper Neutralization of Special Elements used in a Command ('Command Injection')