How is CVE-2026-38063 exploited?

Network reachability (required): The vulnerable function is exposed over the network, meaning an attacker must be able to reach the device's network interface to send a crafted request. Authentication (not-required): No account or credential of any privilege level is needed to reach or exploit the vulnerable endpoint. Victim interaction (not-required): Exploitation is fully attacker-driven and requires no action from any user of the device. Attack complexity (info): The exploit is reliable and condition-free: no race conditions, memory layout knowledge, or special environmental factors are needed to trigger the injection.

What is the impact of CVE-2026-38063?

A successful attacker can execute arbitrary OS commands on the router with the process's privilege level, gaining effective control of the device. Confidential data stored on or passing through the device, such as credentials, session tokens, and network traffic, is readable by the attacker. The attacker can modify device configuration, routing rules, or firmware, redirecting or intercepting traffic for downstream network users. The attacker can crash or reboot the device, cutting off network connectivity for all clients that depend on it.

Back to search

CRITICALCVE-2026-38063Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-38063: Tenda 5G03 V05

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in the Tenda 5G03 V05 router (firmware version 05.03.02.04) allows a remote, unauthenticated attacker to inject arbitrary OS commands via the ia parameter of the action_radio_on_with_ia_apn function. The vulnerability is reachable over the network with no authentication and no user interaction required. Successful exploitation gives the attacker full control over the device, including the ability to read, modify, or destroy data and crash or commandeer the affected router. No fix version has been published; HarborGuard tracks this advisory and will surface a patched rebuild the moment an upstream fix becomes available.

HarborGuard Coverage

Detection

Detection for CVE-2026-38063 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images derived from affected Tenda firmware bases.

Available

Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.8 (Critical) and weighting it against each customer environment's compliance policy to route findings to the appropriate team inbox within that organization.

Available

Patch

Because no upstream fix version has been published, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream vendor ships a corrected firmware or package. In the meantime, compensating controls such as network-policy isolation of the affected device and egress filtering on the management interface are surfaced as recommended mitigations within each customer environment.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable function is exposed over the network, meaning an attacker must be able to reach the device's network interface to send a crafted request.
AuthenticationNot required
No account or credential of any privilege level is needed to reach or exploit the vulnerable endpoint.
Victim interactionNot required
Exploitation is fully attacker-driven and requires no action from any user of the device.
Attack complexityDetail
The exploit is reliable and condition-free: no race conditions, memory layout knowledge, or special environmental factors are needed to trigger the injection.

Blast Radius

A successful attacker can execute arbitrary OS commands on the router with the process's privilege level, gaining effective control of the device.
Confidential data stored on or passing through the device, such as credentials, session tokens, and network traffic, is readable by the attacker.
The attacker can modify device configuration, routing rules, or firmware, redirecting or intercepting traffic for downstream network users.
The attacker can crash or reboot the device, cutting off network connectivity for all clients that depend on it.

How HarborGuard Handles This

Available on HarborGuard: detection for this critical command-injection vulnerability is matched against customer images immediately upon ingest, with findings scored at CVSS 9.8 and routed according to each organization's compliance policy. Because no upstream fix has been published, HarborGuard monitors this advisory on every ingest cycle and will make a patched-image rebuild available, paired with an automated PR against affected workloads, the moment the vendor releases a corrected version. For customers who opt into auto-remediation, that rebuild, regression-test run, and PR will be triggered without manual intervention. While no patch exists, HarborGuard surfaces compensating-control recommendations including network-policy isolation of the affected router's management interface, ingress filtering to restrict access to trusted source IPs only, and egress filtering to limit command-and-control reach if the device is compromised.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified