How is CVE-2026-38065 exploited?

Network reachability (required): The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the device's HTTP interface remotely to deliver the malicious ims_apn payload. Authentication (not-required): No credentials or session token are needed; the vulnerable function is accessible to unauthenticated requests. Victim interaction (not-required): The attacker makes a direct request to the device; no user action or social-engineering step is required. Attack complexity (info): The exploit is reliable and condition-free: no race condition, memory layout knowledge, or environmental prerequisite is needed beyond network access to the target.

What is the impact of CVE-2026-38065?

Attacker executes arbitrary OS commands as the firmware process owner, gaining a root-level shell on the router in typical embedded-Linux deployments. All network traffic routed through the device becomes readable, allowing interception of credentials, session tokens, and unencrypted payloads from connected clients. The attacker can modify routing tables, DNS settings, or firewall rules, redirecting or blocking traffic for any host on the network. The device can be crashed or rendered unbootable by overwriting firmware partitions or issuing destructive shell commands, disrupting network connectivity for all connected users.

Back to search

CRITICALCVE-2026-38065Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-38065: Tenda 5G03 V05

Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Command injection in the Tenda 5G03 V05 router firmware allows a remote, unauthenticated attacker to execute arbitrary operating system commands on the device. The vulnerability exists in the action_ims_on_with_apn function, where the ims_apn parameter is passed unsanitized to a system call, reachable over the network with no login required. Successful exploitation gives the attacker full control of the device, including access to all data passing through it, the ability to modify configuration and routing, and the ability to crash or brick the device. HarborGuard is tracking this advisory for patch availability as no fix version has been published.

HarborGuard Coverage

Detection

Detection for CVE-2026-38065 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against images in customer registries and CI/CD pipelines, including custom-built images that bundle Tenda 5G03 firmware components.

Available

Triage

HarborGuard triage capability applies the CVSS 3.1 score of 9.8 (Critical) to each affected finding, weights it against each environment's compliance policy, and routes alerts to the appropriate team inbox within the customer org.

Available

Patch

No fix version has been published upstream for this CVE. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released; customers with auto-remediation enabled will receive the rebuild, a regression-test run, and a PR opened against affected workloads without manual intervention.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable endpoint is exposed over the network, meaning an attacker must be able to reach the device's HTTP interface remotely to deliver the malicious ims_apn payload.
AuthenticationNot required
No credentials or session token are needed; the vulnerable function is accessible to unauthenticated requests.
Victim interactionNot required
The attacker makes a direct request to the device; no user action or social-engineering step is required.
Attack complexityDetail
The exploit is reliable and condition-free: no race condition, memory layout knowledge, or environmental prerequisite is needed beyond network access to the target.

Blast Radius

Attacker executes arbitrary OS commands as the firmware process owner, gaining a root-level shell on the router in typical embedded-Linux deployments.
All network traffic routed through the device becomes readable, allowing interception of credentials, session tokens, and unencrypted payloads from connected clients.
The attacker can modify routing tables, DNS settings, or firewall rules, redirecting or blocking traffic for any host on the network.
The device can be crashed or rendered unbootable by overwriting firmware partitions or issuing destructive shell commands, disrupting network connectivity for all connected users.

How HarborGuard Handles This

Available on HarborGuard: CVE-2026-38065 is flagged as Critical (CVSS 9.8) with no upstream patch currently available, so the immediate pipeline action is visibility and compensating-control guidance rather than a rebuild. HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically when Tenda publishes a fix; for customers with auto-remediation enabled, that rebuild triggers a regression-test run and opens a PR against affected workloads without manual steps. In the meantime, compensating controls worth evaluating include: isolating the affected device behind a strict network policy that blocks direct internet-facing access to its management interface; applying egress filtering to prevent outbound callback connections that a command-injection payload would typically establish; and disabling the IMS APN configuration endpoint via a feature flag or firewall rule if the functionality is not operationally required. HarborGuard will update the finding status and trigger remediation workflows the moment a fix version is published upstream.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified