How is CVE-2026-38064 exploited?

Network reachability (required): The vulnerable function is exposed over the network, so an attacker must be able to reach the device's network interface to deliver the malicious payload. Authentication (not-required): No credentials or session token of any kind are needed; the injection point in the dialNumber parameter accepts unauthenticated input. Victim interaction (not-required): The attacker sends a crafted request directly to the device with no need for any user to click a link or take any action. Attack complexity (info): Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or special environmental factors are required to trigger the injection.

What is the impact of CVE-2026-38064?

Attacker executes arbitrary OS commands as the process owner, gaining an interactive shell or the ability to run scripts on the device. All data stored on the device, including credentials, configuration files, and session material, becomes readable. Attacker can overwrite firmware settings, inject persistent backdoors, or modify routing and firewall rules. The device can be crashed or held in a denial-of-service state, disrupting all traffic passing through it.

Back to search

CRITICALCVE-2026-38064Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-38064: Tenda 5G03 V05

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in Tenda 5G03 V05 (firmware version 05.03.02.04) allows a remote attacker to inject arbitrary operating system commands through the dialNumber parameter in the action_dial_call function. The vulnerability is reachable over the network with no authentication required and no user interaction needed. Successful exploitation gives the attacker full control of the device, including the ability to read all stored data, modify configuration and files, and crash or hijack running processes. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries, CI/CD pipelines, and custom-built images. Any image containing the affected Tenda 5G03 firmware version is flagged automatically.

Available

Triage

HarborGuard is capable of scoring this finding at CVSS 9.8 (Critical) and weighting it against each environment's compliance policy to determine urgency and routing. Triage results are delivered to the appropriate team inbox within each customer organization based on configured policy.

Available

Patch

Because no upstream fix version has been published for this CVE, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. Customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable function is exposed over the network, so an attacker must be able to reach the device's network interface to deliver the malicious payload.
AuthenticationNot required
No credentials or session token of any kind are needed; the injection point in the dialNumber parameter accepts unauthenticated input.
Victim interactionNot required
The attacker sends a crafted request directly to the device with no need for any user to click a link or take any action.
Attack complexityDetail
Exploitation is reliable and condition-free; no race conditions, memory layout knowledge, or special environmental factors are required to trigger the injection.

Blast Radius

Attacker executes arbitrary OS commands as the process owner, gaining an interactive shell or the ability to run scripts on the device.
All data stored on the device, including credentials, configuration files, and session material, becomes readable.
Attacker can overwrite firmware settings, inject persistent backdoors, or modify routing and firewall rules.
The device can be crashed or held in a denial-of-service state, disrupting all traffic passing through it.

How HarborGuard Handles This

Available on HarborGuard: detection for CVE-2026-38064 is active across all connected environments, matching against the affected Tenda 5G03 firmware version in any scanned image. Because no vendor patch exists today, HarborGuard monitors the advisory on every ingest cycle and will trigger a rebuild automatically when an upstream fix is published. For customers with auto-remediation enabled, that rebuild will be followed by a regression-test run and a PR opened against affected workloads. In the interim, compensating controls worth considering include network-policy rules that restrict inbound access to the device management interface to trusted IP ranges only, egress filtering to limit what commands the device process can reach externally, and disabling or isolating any workload that calls the action_dial_call function until a patch is available.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified