Overview
The CERT Coordination Center (CERT/CC) has issued a high‑severity advisory after discovering an undocumented administrative backdoor in several Tenda router firmware versions. Tracked as CVE‑2026‑11405, this flaw allows attackers to bypass password verification and gain full administrative control over affected devices — without valid credentials.

The Vulnerability Explained
Researchers found the backdoor embedded in the login() function of the /bin/httpd web server binary.
Here’s how it works:
- MD5 Authentication Failure — when normal password verification fails, the firmware triggers an alternate code path.
- Hidden Password Fetch — the code calls
GetValue("sys.rzadmin.password")to retrieve a secret password from the configuration. - Plaintext Comparison — if the supplied password matches this hidden value, the system grants role = 2 (admin) privileges and creates a valid session.
Critically, the “rzadmin” username is not validated — meaning any username paired with the backdoor password will succeed.
Affected Firmware Versions
The vulnerability impacts multiple Tenda models and firmware builds, including:
| Model | Firmware Version |
|---|---|
| FH1201 | US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD |
| W15E | US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE |
| AC10 | US_AC10V1.0re_V15.03.06.46_multi_TDE01 |
| AC5 | US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 |
| AC6 | US_AC6V2.0RTL_V15.03.06.51_multi_T |
Why It Matters
This hidden authentication mechanism effectively bypasses all standard security controls, allowing attackers to:
- Modify router settings remotely.
- Disable firewall and security features.
- Reconfigure network parameters for malicious use.
- Achieve complete device takeover.
Because the backdoor is not documented or visible in the admin interface, users and administrators remain unaware of its existence.
Mitigation and Recommendations
As of this writing, Tenda has not released a patch. Until updates arrive, CERT/CC recommends:
- Disable Remote Management — prevent external access to the web interface.
- Change Default LAN IP Address — reduce exposure to automated scanners targeting known ranges.
- Monitor for Unauthorized Changes — audit settings regularly for unexpected modifications.
- Segment Critical Networks — isolate IoT and consumer devices from enterprise systems.
Expert in the Cloud Insight
The Tenda backdoor discovery is a stark reminder that firmware security is as critical as network configuration. Hidden authentication paths undermine trust in consumer network devices and highlight the need for transparent code audits and vendor accountability.
For enterprises and home users alike, the lesson is clear: treat routers as computers with attack surfaces, not as simple network appliances. Firmware integrity checks and timely updates must be part of every security strategy.
Leave a Reply