Hidden Admin Backdoor Found in Tenda Router Firmware

Overview

The CERT Coordination Center (CERT/CC) has issued a high‑severity advisory after discovering an undocumented administrative backdoor in several Tenda router firmware versions. Tracked as CVE‑2026‑11405, this flaw allows attackers to bypass password verification and gain full administrative control over affected devices — without valid credentials.

The Vulnerability Explained

Researchers found the backdoor embedded in the login() function of the /bin/httpd web server binary.

Here’s how it works:

  • MD5 Authentication Failure — when normal password verification fails, the firmware triggers an alternate code path.
  • Hidden Password Fetch — the code calls GetValue("sys.rzadmin.password") to retrieve a secret password from the configuration.
  • Plaintext Comparison — if the supplied password matches this hidden value, the system grants role = 2 (admin) privileges and creates a valid session.

Critically, the “rzadmin” username is not validated — meaning any username paired with the backdoor password will succeed.

Affected Firmware Versions

The vulnerability impacts multiple Tenda models and firmware builds, including:

ModelFirmware Version
FH1201US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
W15EUS_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
AC10US_AC10V1.0re_V15.03.06.46_multi_TDE01
AC5US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
AC6US_AC6V2.0RTL_V15.03.06.51_multi_T

Why It Matters

This hidden authentication mechanism effectively bypasses all standard security controls, allowing attackers to:

  • Modify router settings remotely.
  • Disable firewall and security features.
  • Reconfigure network parameters for malicious use.
  • Achieve complete device takeover.

Because the backdoor is not documented or visible in the admin interface, users and administrators remain unaware of its existence.

Mitigation and Recommendations

As of this writing, Tenda has not released a patch. Until updates arrive, CERT/CC recommends:

  • Disable Remote Management — prevent external access to the web interface.
  • Change Default LAN IP Address — reduce exposure to automated scanners targeting known ranges.
  • Monitor for Unauthorized Changes — audit settings regularly for unexpected modifications.
  • Segment Critical Networks — isolate IoT and consumer devices from enterprise systems.

Expert in the Cloud Insight

The Tenda backdoor discovery is a stark reminder that firmware security is as critical as network configuration. Hidden authentication paths undermine trust in consumer network devices and highlight the need for transparent code audits and vendor accountability.

For enterprises and home users alike, the lesson is clear: treat routers as computers with attack surfaces, not as simple network appliances. Firmware integrity checks and timely updates must be part of every security strategy.

Be the first to comment

Leave a Reply

Your email address will not be published.


*


This site uses Akismet to reduce spam. Learn how your comment data is processed.