How is CVE-2026-38060 exploited?

Network reachability (required): The vulnerable function is exposed over the network, so the attacker must be able to reach the device's network interface to send a crafted request. Authentication (not-required): No credentials of any privilege level are required; the action_unlock_sim endpoint accepts unauthenticated requests. Victim interaction (not-required): The attack is fully server-side and completes without any action from a user or administrator on the target device. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed.

What is the impact of CVE-2026-38060?

A successful attacker can execute arbitrary operating system commands on the router, gaining full shell-level control of the device. Confidential data stored on or passing through the device, including network credentials and SIM-related parameters, becomes readable to the attacker. The attacker can modify device configuration, routing rules, or firmware state, enabling persistent access or traffic interception. The attacker can crash or fully disable the router, cutting off network connectivity for all clients depending on the device.

Back to search

CRITICALCVE-2026-38060Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-38060: Tenda 5G03 V05

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in the Tenda 5G03 V05.03.02.04 router allows a remote, unauthenticated attacker to inject arbitrary operating system commands through the pin parameter of the action_unlock_sim function. The vulnerability is reachable over the network and requires no credentials or user interaction. Successful exploitation gives the attacker full control over the device, including the ability to read, modify, or delete data and crash or hijack the running system. HarborGuard is tracking the upstream advisory for patch availability, as no fix version has been published.

HarborGuard Coverage

Detection

Detection for CVE-2026-38060 is available across every HarborGuard environment; the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle or reference the affected Tenda firmware components.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each customer environment's compliance policy to prioritize routing; triage findings are directed to the appropriate team inbox within each customer organization based on configured ownership rules.

Available

Patch

Because no upstream fix version has been published for CVE-2026-38060, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. Where compliance policy permits, auto-remediation customers will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable function is exposed over the network, so the attacker must be able to reach the device's network interface to send a crafted request.
AuthenticationNot required
No credentials of any privilege level are required; the action_unlock_sim endpoint accepts unauthenticated requests.
Victim interactionNot required
The attack is fully server-side and completes without any action from a user or administrator on the target device.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, special memory layout, or environmental prerequisites are needed.

Blast Radius

A successful attacker can execute arbitrary operating system commands on the router, gaining full shell-level control of the device.
Confidential data stored on or passing through the device, including network credentials and SIM-related parameters, becomes readable to the attacker.
The attacker can modify device configuration, routing rules, or firmware state, enabling persistent access or traffic interception.
The attacker can crash or fully disable the router, cutting off network connectivity for all clients depending on the device.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged at Critical severity and matched against all customer images on every scan cycle. Because no fix version exists yet, HarborGuard monitors the upstream advisory continuously and will surface a patched-image rebuild the moment the vendor publishes a corrected release. In the interim, compensating controls worth considering include network-policy isolation that restricts inbound access to the device's management interface to trusted hosts only, egress filtering to limit lateral movement if the device is compromised, and disabling the SIM-unlock interface via a feature flag or firewall rule if the functionality is not operationally required. For customers who opt into auto-remediation, the rebuild, regression-test run, and PR against affected workloads will be triggered automatically once an upstream fix is available, with no manual steps required.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified