Undocumented Backdoor Discovered in Tenda Router Firmware

CERT/CC warns that an unpatched backdoor in multiple Tenda router models grants full admin access without requiring a valid username.

CSBadmin
2 Min Read

Vulnerability Overview

A hidden authentication backdoor has been identified in multiple Tenda router firmware versions, allowing an attacker to gain full administrative access to the device’s web management panel. The issue, tracked as CVE-2026-11405, was reported by the CERT Coordination Center (CERT/CC) after an anonymous researcher discovered the flaw. The vulnerability remains unpatched because the Chinese manufacturer could not be contacted.

The backdoor exists in the ‘login()’ function of the ‘/bin/httpd’ web server binary. Standard MD5 based authentication is attempted first. If that fails, the firmware retrieves an alternate password from the ‘sys.rzadmin.password’ configuration value and compares it directly to the plaintext password supplied by the user. If the passwords match, the device grants administrator access (role=2) and creates a valid session, regardless of the username entered.

Impact and Scope

Successful exploitation provides full administrative control over the device’s web interface, circumventing the configured administrator account credentials. An attacker can reconfigure the device, alter network settings, and disable security features, potentially enabling broader compromise of the local network. The undocumented mechanism is not mentioned in any documentation or the administrative interface, leaving users unaware of the risk.

Affected devices include the Tenda FH1201, W15E, AC10, AC5, and AC6 V2 routers with specific firmware versions. No patch is currently available. Users are advised to disable remote web management panel access and change the default LAN IP address to reduce exposure. While no active exploitation has been reported, the flaw is likely to be targeted by botnets focusing on router vulnerabilities.

Source: BleepingComputer

CSBadmin

The latest in cybersecurity news and updates.

Share This Article
Follow:
The latest in cybersecurity news and updates.