Full Report
Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday. "An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process
Analysis Summary
# Vulnerability: Undocumented Administrative Backdoor in Tenda Router Firmware
## CVE Details
- **CVE ID:** CVE-2026-11405
- **CVSS Score:** Not explicitly listed in the article (typically Critical for administrative backdoors)
- **CWE:** CWE-1391 (Use of Undocumented Features) / CWE-259 (Use of Hard-coded Password)
## Affected Systems
- **Products:** Tenda Network Routers
- **Versions:**
- US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
- US_AC10V1.0re_V15.03.06.46_multi_TDE01
- US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
- US_AC6V2.0RTL_V15.03.06.51_multi_T
- **Configurations:** Devices running the web management interface via "/bin/httpd".
## Vulnerability Description
The flaw exists within the `login()` function of the `httpd` binary. While the firmware performs standard MD5-based authentication, a secondary undocumented code path is triggered upon authentication failure. The system calls `GetValue("sys.rzadmin.password")` to retrieve a secondary password from the internal configuration. If the user-supplied password matches this plaintext configuration value, the system bypasses standard validation and grants the user an administrative session (role=2). Notably, the `rzadmin` username itself is not validated, meaning any username provided with the backdoor password will grant access.
## Exploitation
- **Status:** Vulnerability publicly disclosed; PoC details (function names and logic) available via CERT/CC.
- **Complexity:** Low
- **Attack Vector:** Network (if web management is exposed)
## Impact
- **Confidentiality:** High (Full access to device configuration and traffic monitoring)
- **Integrity:** High (Unauthorized remote modification of settings and security features)
- **Availability:** High (Potential for complete device takeover or bricking)
## Remediation
### Patches
- **Status:** Unpatched. As of the report date, the vendor (Tenda) has not released firmware updates to address this backdoor.
### Workarounds
- **Disable Remote Management:** Ensure the web management interface is not accessible from the Wide Area Network (WAN/Internet).
- **Network Segmentation:** Change the default LAN IP address to a non-standard range to complicate automated discovery.
- **Access Control:** Restrict management access to specific trusted local IP addresses if the device supports internal ACLs.
## Detection
- **Indicators of Compromise:** Unusual administrative logins or configuration changes not performed by authorized users.
- **Detection methods:** Security audits of the device configuration for the existence of the `sys.rzadmin.password` string or monitoring for "role=2" session assignments in logs where standard credentials were not used.
## References
- CERT/CC Vulnerability Note VU#213560: hxxps[:]//kb[.]cert[.]org/vuls/id/213560
- CVE Record: hxxps[:]//www[.]cve[.]org/CVERecord?id=CVE-2026-11405
- The Hacker News Report: hxxps[:]//thehackernews[.]com/2026/07/certcc-warns-of-hidden-admin-backdoor[.]html