Description
A vulnerability was detected in Tenda G103 1.0.0.5. The impacted element is the function action_set_net_settings of the file gpon.lua of the component Setting Handler. Performing a manipulation of the argument authLoid/authLoidPassword/authPassword/authSerialNo/authType/oltType/usVlanId/usVlanPriority results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Published: 2026-04-02
Score: 5.1 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Command injection
Action: Update firmware
AI Analysis

Impact

A vulnerability exists in the firmware of the Tenda G103 router where the action_set_net_settings function in the gpon.lua script incorporates user supplied configuration values into a shell command without proper validation. Based on the description, this flaw could allow an attacker to insert arbitrary commands into the request arguments and have them executed on the device. The exploit can be triggered remotely via a network connection to the router's management interface.

Affected Systems

The V1.0.0.5 firmware of the Tenda G103 model is affected. This device is commonly deployed in residential and small‑business environments. Any unit running the listed firmware build remains vulnerable until a newer firmware version is installed.

Risk and Exploitability

The CVSS base score of 5.1 places the issue in the medium range, while the EPSS score of less than 1% suggests a low probability of exploitation under current market data. The vulnerability is not listed in the CISA KEV catalog. Attackers would need to send a crafted HTTP request from an external or internal network to the router to trigger the command injection. Although the likelihood of exploitation appears low, the impact of successful exploitation could include unintended command execution on the device, potentially allowing further compromise or persistence.

Generated by OpenCVE AI on April 6, 2026 at 21:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest firmware released by Tenda that addresses the command injection flaw
  • If no update is available, block or disable remote management access from the WAN side
  • Change the default administrator credentials to a strong, unique password
  • Monitor the router for unexpected processes or traffic that could indicate command execution

Generated by OpenCVE AI on April 6, 2026 at 21:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 06 Apr 2026 16:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:h:tenda:g103:-:*:*:*:*:*:*:*
cpe:2.3:o:tenda:g103_firmware:1.0.0.5:*:*:*:*:*:*:*

Thu, 02 Apr 2026 20:30:00 +0000

Type Values Removed Values Added
First Time appeared Tenda g103
Vendors & Products Tenda g103
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 02 Apr 2026 14:45:00 +0000

Type Values Removed Values Added
Description A vulnerability was detected in Tenda G103 1.0.0.5. The impacted element is the function action_set_net_settings of the file gpon.lua of the component Setting Handler. Performing a manipulation of the argument authLoid/authLoidPassword/authPassword/authSerialNo/authType/oltType/usVlanId/usVlanPriority results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.
Title Tenda G103 Setting gpon.lua action_set_net_settings command injection
First Time appeared Tenda
Tenda g103 Firmware
Weaknesses CWE-74
CWE-77
CPEs cpe:2.3:o:tenda:g103_firmware:*:*:*:*:*:*:*:*
Vendors & Products Tenda
Tenda g103 Firmware
References
Metrics cvssV2_0

{'score': 5.8, 'vector': 'AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR'}

cvssV3_0

{'score': 4.7, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV3_1

{'score': 4.7, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R'}

cvssV4_0

{'score': 5.1, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Tenda G103 G103 Firmware
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-02T15:55:52.097Z

Reserved: 2026-04-01T14:09:12.110Z

Link: CVE-2026-5339

cve-icon Vulnrichment

Updated: 2026-04-02T15:55:45.695Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-02T15:16:53.080

Modified: 2026-04-06T16:07:38.257

Link: CVE-2026-5339

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-07T07:56:17Z

Weaknesses