Login Sign Up

CVE-2023-27076

9.8 CRITICAL
Remote Code Execution

📋 TL;DR

This critical command injection vulnerability in Tenda G103 routers allows attackers to execute arbitrary system commands by manipulating the language parameter. Attackers can gain complete control of affected routers, potentially compromising all network traffic. Anyone using Tenda G103 routers with vulnerable firmware is affected.

💻 Affected Systems

Products:
  • Tenda G103
Versions: v1.0.0.5
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: All devices running this specific firmware version are vulnerable by default.

📦 What is this software?

G103 Firmware by Tenda

View all CVEs affecting G103 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete router compromise leading to full network traffic interception, credential theft, lateral movement to connected devices, and persistent backdoor installation.

🟠

Likely Case

Router takeover allowing DNS hijacking, credential harvesting, and use as pivot point for attacks on internal network devices.

🟢

If Mitigated

Limited impact if router is behind firewall with strict inbound rules and network segmentation prevents lateral movement.

🌐 Internet-Facing: HIGH - Routers are typically internet-facing devices directly accessible from WAN interfaces.
🏢 Internal Only: MEDIUM - Attackers could exploit from compromised internal devices or via phishing/malware.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Public exploit details available in GitHub repository. Simple HTTP request with crafted language parameter can trigger exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: Not available

Restart Required: No

Instructions:

Check Tenda official website for firmware updates. If no patch available, consider replacing router with supported model.

🔧 Temporary Workarounds

Disable WAN Management

all

Prevent external access to router management interface

Access router admin panel > Security > Remote Management > Disable

Network Segmentation

all

Isolate router management interface to separate VLAN

🧯 If You Can't Patch

  • Replace router with supported model that receives security updates
  • Place router behind dedicated firewall with strict inbound rules blocking all unnecessary ports

🔍 How to Verify

Check if Vulnerable:

Check router firmware version in admin panel. If version is exactly 1.0.0.5, device is vulnerable.

Check Version:

Login to router admin interface and check System Status or Firmware Update section

Verify Fix Applied:

Verify firmware version has been updated to a version higher than 1.0.0.5

📡 Detection & Monitoring

Log Indicators:

  • Unusual HTTP requests to language parameter
  • Unexpected system command execution in router logs
  • Failed authentication attempts followed by successful exploitation

Network Indicators:

  • HTTP POST requests with shell metacharacters in language parameter
  • Outbound connections from router to suspicious IPs
  • DNS queries to malicious domains

SIEM Query:

source="router_logs" AND ("language=" AND ("|" OR ";" OR "$" OR "`"))

📊 Metadata

CVE ID: CVE-2023-27076
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-78
Published: April 10, 2023
Last Updated: May 5, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2023-27076, you might also want to check these:

CVE-2023-2564 10.0

This CVE describes an OS command injection vulnerability in scanservjs web scanning software that al...

Same vulnerability type (CWE-78)
CVE-2024-58338 10.0

Anevia Flamingo XL 3.2.9 contains a restricted shell escape vulnerability that allows remote attacke...

Same vulnerability type (CWE-78)
CVE-2025-26389 10.0

This critical vulnerability allows unauthenticated remote attackers to execute arbitrary code with r...

Same vulnerability type (CWE-78)