CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware
CERT/CC identified CVE-2026-11405, a hidden admin backdoor in Tenda router firmware allowing unauthorized administrative access without valid credentials. The vulnerability resides in the `/bin/web` server binary's `login()` function, which triggers an alternate code path upon failed MD5 authentication to check a plaintext configuration password. The backdoor ignores username validation, meaning any username paired with the specific backdoor password grants full admin privileges (role=2). Multip
Analysis
TL;DR
- CERT/CC identified CVE-2026-11405, a hidden admin backdoor in Tenda router firmware allowing unauthorized administrative access without valid credentials.
- The vulnerability resides in the
/bin/webserver binary'slogin()function, which triggers an alternate code path upon failed MD5 authentication to check a plaintext configuration password. - The backdoor ignores username validation, meaning any username paired with the specific backdoor password grants full admin privileges (role=2).
- Multiple firmware versions are affected, including those for models FH1201, W15E, AC10, AC5, and AC6, and the issue remains unpatched as of the report.
- Immediate mitigation involves disabling remote management and changing the default LAN IP address to prevent exposure to automated scanners.
Why It Matters
This incident highlights critical security failures in IoT device manufacturing, specifically the embedding of undocumented authentication bypasses that undermine fundamental security principles. For practitioners, it underscores the necessity of rigorous firmware auditing and the risks associated with relying on default configurations or vendor-provided security mechanisms without independent verification.
Technical Details
- Vulnerability Mechanism: The backdoor is embedded in the
login()function of the/bin/webbinary. After a standard MD5-based password verification fails, the code executes an alternative path callingGetValue("sys.rzadmin.password"). - Authentication Bypass: The system performs a direct plaintext comparison between the user-supplied password and the stored
sys.rzadmin.passwordvalue. If they match, the application assignsrole=2(admin) and creates a session, completely bypassing the intended credential check. - Username Validation Flaw: The
rzadminusername field is not validated against existing accounts; any arbitrary username provided alongside the correct backdoor password will succeed. - Affected Scope: The vulnerability impacts several specific firmware builds across Tenda models such as US_FH1201, US_W15E, US_AC10, US_AC5, and US_AC6.
- Status: Reported by an anonymous researcher, the vulnerability is currently unpatched, leaving devices exposed until a firmware update is released.
Industry Insight
- Supply Chain Security: Manufacturers must implement strict code review processes to detect and remove undocumented backdoors or debug interfaces before firmware release, as these pose severe long-term security liabilities.
- Defensive Configuration: Users should treat default IoT settings as inherently insecure; disabling remote management and altering default IPs are essential first steps in hardening network infrastructure against opportunistic attacks.
- Vulnerability Management: Organizations relying on consumer-grade networking equipment should monitor CERT advisories closely and prioritize devices with transparent security update policies to mitigate exposure to zero-day or undisclosed flaws.
Disclaimer: The above content is generated by AI and is for reference only.