How is CVE-2026-38062 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the device's HTTP service remotely; no physical or local access is needed. Authentication (not-required): No credentials are required; the vulnerable function can be invoked by any unauthenticated caller that can reach the device. Victim interaction (not-required): Exploitation is entirely attacker-driven and requires no action from any user of the device. Attack complexity (info): Exploit conditions are straightforward and reliable, with no race conditions or special environmental dependencies required to trigger the injection.

What is the impact of CVE-2026-38062?

Attacker executes arbitrary OS commands on the router with the privileges of the web server process, gaining a foothold on the device. All data handled by the device, including network credentials and configuration secrets stored in flash, becomes readable. The attacker can overwrite firmware settings or inject persistent backdoors, modifying device behavior for all connected users. The router can be crashed or rendered non-functional, cutting off network access for every client depending on it.

Back to search

CRITICALCVE-2026-38062Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-38062: Tenda 5G03 V05

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in the Tenda 5G03 V05 router allows a remote attacker to execute arbitrary operating system commands on the device. The vulnerability is reachable over the network without any authentication, via the ratMode parameter in the action_set_rat_mode function. Successful exploitation gives the attacker full control of the device, including the ability to read all data, modify configurations, and disrupt network service. HarborGuard tracks this advisory and will make a patched-image rebuild available as soon as an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-38062 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI pipelines, including custom-built images that package or embed Tenda 5G03 firmware components.

Available

Triage

Triage is available with the full CVSS v3.1 score of 9.8 (Critical), weighted against each customer organization's compliance policy to determine urgency and routed to the appropriate team inbox within that org.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a fix.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the device's HTTP service remotely; no physical or local access is needed.
AuthenticationNot required
No credentials are required; the vulnerable function can be invoked by any unauthenticated caller that can reach the device.
Victim interactionNot required
Exploitation is entirely attacker-driven and requires no action from any user of the device.
Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental dependencies required to trigger the injection.

Blast Radius

Attacker executes arbitrary OS commands on the router with the privileges of the web server process, gaining a foothold on the device.
All data handled by the device, including network credentials and configuration secrets stored in flash, becomes readable.
The attacker can overwrite firmware settings or inject persistent backdoors, modifying device behavior for all connected users.
The router can be crashed or rendered non-functional, cutting off network access for every client depending on it.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-38062 is flagged at Critical severity (9.8) and is actively monitored on every ingest cycle for patch availability. Because no upstream fix exists yet, the recommended compensating controls are to isolate the Tenda 5G03 management interface behind a network policy that blocks untrusted inbound access, apply egress filtering to limit lateral movement if the device is compromised, and disable remote management features where operationally possible. For customers who opt into auto-remediation, HarborGuard will initiate a patched-image rebuild, regression-test run, and PR against affected workloads automatically the moment a fix version is published upstream, with no manual intervention required.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified