CVE-2026-5338
Published: 02 April 2026
Summary
CVE-2026-5338 is a medium-severity Injection (CWE-74) vulnerability in Tenda G103 Firmware. Its CVSS base score is 4.7 (Medium).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 41.8% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-10 directly prevents command injection by requiring validation and error handling of inputs like the lanIp argument at system entry points.
SI-2 mandates timely flaw remediation, including patching the vulnerable action_set_system_settings function in system.lua to eliminate the command injection vulnerability.
AC-6 enforces least privilege, limiting high-privilege administrative access required to exploit the remote command injection via lanIp manipulation.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in the router's public-facing web interface (system.lua) directly enables exploitation of public-facing applications (T1190) and arbitrary Unix shell command execution (T1059.004) via unsanitized lanIp input.
NVD Description
A security vulnerability has been detected in Tenda G103 1.0.0.5. The affected element is the function action_set_system_settings of the file system.lua of the component Setting Handler. Such manipulation of the argument lanIp leads to command injection. The attack may be…
more
performed from remote. The exploit has been disclosed publicly and may be used.
Deeper analysisAI
CVE-2026-5338 is a command injection vulnerability affecting the Tenda G103 router on firmware version 1.0.0.5. The flaw exists in the action_set_system_settings function within the system.lua file of the Setting Handler component, where manipulation of the lanIp argument enables command injection. It is classified under CWE-74 and CWE-77, with a CVSS v3.1 base score of 4.7 (AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L).
The vulnerability is exploitable remotely over the network by an attacker possessing high privileges, such as authenticated administrative access. Exploitation allows limited impacts, including low-level disclosure of information, modification of data, and denial of service. A proof-of-concept exploit has been publicly disclosed.
Advisories referenced on VulDB detail the vulnerability and recent threat intelligence, while a GitHub repository hosts the exploit code. The Tenda vendor website is listed, but no specific patches or mitigation guidance are detailed in the provided references.
Details
- CWE(s)