How is CVE-2026-38061 exploited?

Network reachability (required): The vulnerable function is exposed over the network, so an attacker must be able to reach the device's interface across the internet or an internal network segment. Authentication (not-required): No credentials of any privilege level are needed to invoke the action_set_volume function and deliver the malicious volume parameter. Victim interaction (not-required): The attacker sends a crafted request directly to the device; no user action such as clicking a link or opening a file is required. Attack complexity (info): The exploit is reliable and condition-free: no race conditions, specific memory layout, or environmental prerequisites are required to trigger command injection.

What is the impact of CVE-2026-38061?

Attacker executes arbitrary operating system commands with the privilege level of the affected process, gaining a foothold on the device. Attacker reads sensitive data stored on the device, including configuration files, credentials, and network topology details. Attacker modifies device configuration or running state, redirecting traffic, disabling security controls, or installing persistent backdoors. Attacker crashes or fully disrupts the device, taking down network connectivity for all clients that depend on it.

Back to search

CRITICALCVE-2026-38061Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-38061: Tenda 5G03 V05

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in the Tenda 5G03 V05 router (firmware version V05.03.02.04) allows a remote, unauthenticated attacker to inject arbitrary operating system commands through the volume parameter of the action_set_volume function. The vulnerability is reachable over the network with no credentials required and no user interaction needed. Successful exploitation gives the attacker full control of the device, including the ability to read, modify, or delete data and crash or commandeer the affected service. HarborGuard is tracking this advisory for patch availability and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-38061 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images that include affected Tenda firmware or derived components.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 rating of 9.8 (Critical) and weighting that score against each customer org's compliance policy; findings are routed automatically to the appropriate team inbox based on configured severity thresholds and ownership rules.

Available

Patch

No fix version has been published by the vendor for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable function is exposed over the network, so an attacker must be able to reach the device's interface across the internet or an internal network segment.
AuthenticationNot required
No credentials of any privilege level are needed to invoke the action_set_volume function and deliver the malicious volume parameter.
Victim interactionNot required
The attacker sends a crafted request directly to the device; no user action such as clicking a link or opening a file is required.
Attack complexityDetail
The exploit is reliable and condition-free: no race conditions, specific memory layout, or environmental prerequisites are required to trigger command injection.

Blast Radius

Attacker executes arbitrary operating system commands with the privilege level of the affected process, gaining a foothold on the device.
Attacker reads sensitive data stored on the device, including configuration files, credentials, and network topology details.
Attacker modifies device configuration or running state, redirecting traffic, disabling security controls, or installing persistent backdoors.
Attacker crashes or fully disrupts the device, taking down network connectivity for all clients that depend on it.

How HarborGuard Handles This

Available on HarborGuard: this CVE is flagged Critical (CVSS 9.8) and surfaces immediately in any environment where images containing the affected Tenda firmware or related components are scanned. Because no upstream fix exists yet, HarborGuard monitors the advisory on every ingest cycle and will trigger a patched-image rebuild automatically once a fix version is published. In the meantime, customers can apply compensating controls through HarborGuard's policy engine: network-policy isolation rules can restrict access to the device's management interface, and egress filtering can limit what an already-compromised process can reach. For customers with auto-remediation enabled, the moment a patched version is available the platform will rebuild the image, run regression tests, and open a PR against affected workloads; the median time from CVE publication to merged patch PR for critical-severity issues is around 90 minutes in environments with auto-remediation enabled.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified