The CERT Coordination Center (CERT/CC) has issued a warning regarding several firmware versions from Tenda, a Chinese network device manufacturer. These versions contain an undisclosed backdoor that grants administrative access to the devices’ web management interfaces. This vulnerability, identified as CVE-2026-11405, allows attackers to bypass password verification, gaining full control without valid credentials.
Critical Vulnerability Details
The backdoor affects multiple firmware versions, including US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T. The issue resides in the ‘login()’ function within the ‘/bin/httpd’ web server binary, which initially follows standard MD5-based password authentication. However, if authentication fails, it triggers an alternative code path.
This alternative path involves using ‘GetValue(“sys.rzadmin.password”)’ to retrieve a different password from the device’s configuration for a plaintext comparison with the user-supplied password. If they match, administrative access is granted with elevated privileges, bypassing the usual username validation process.
Implications of the Backdoor
The backdoor allows attackers to obtain full administrative privileges over the device’s interface, regardless of the legitimate administrator credentials. This could enable unauthorized alterations, disabling of security settings, or reconfiguration, potentially leading to a complete takeover of the device. CERT/CC highlights that the username associated with this backdoor, “rzadmin,” is not verified, allowing any username to succeed if paired with the backdoor password.
This vulnerability was reported by an anonymous researcher and remains unpatched. Attempts to contact Tenda for comments have been made by The Hacker News, with updates pending.
Preventive Measures and Recommendations
Until a patch is available, users are advised to take precautionary measures to protect their devices. Disabling remote management features and changing the default LAN IP address can help mitigate risks by reducing the chances of automated scans discovering the backdoor through known default IP ranges.
Ensuring these steps are taken can reduce exposure to potential threats while awaiting further updates or patches from Tenda.
