Mastodon Mastodon Mastodon Mastodon

CERT/CC warns of hidden admin backdoor in Tenda router firmware

Photo of author

CyberSecureFox Editorial Team

Published:

The CERT Coordination Center (CERT/CC) has published an advisory about an undocumented backdoor in the firmware of several router models from Chinese manufacturer Tenda. The CVE-2026-11405 vulnerability allows an attacker to completely bypass the authentication mechanism and obtain administrative access to the device’s web management interface without knowing valid credentials. At the time of publication, no fix was available from the vendor, leaving all affected devices exposed.

How the backdoor works

According to CERT/CC, the backdoor is built directly into the login() function of the /bin/httpd web server, which handles requests to the management interface. The standard authentication process uses password verification based on MD5 hashing. However, when a login attempt fails, an alternative code path is triggered.

This alternative path performs the following actions:

  • Calls the GetValue("sys.rzadmin.password") function to retrieve the value of a hidden password from the device configuration
  • Compares the password entered by the user with the retrieved value in cleartext, without hashing
  • If they match, assigns the session an administrative access level (role=2) with full privileges

A critical detail, as noted by CERT/CC, is that the username associated with the “rzadmin” account is not validated. This means that any arbitrary username combined with the backdoor password will successfully authenticate. The hidden authentication mechanism is not exposed in any administrative interface and is not mentioned in the documentation.

Affected firmware versions

According to the CERT/CC advisory, the vulnerability has been confirmed in the following firmware versions:

  • Tenda FH1201 — US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
  • Tenda W15E — US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
  • Tenda AC10 — US_AC10V1.0re_V15.03.06.46_multi_TDE01
  • Tenda AC5 — US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
  • Tenda AC6 — US_AC6V2.0RTL_V15.03.06.51_multi_T

This list covers at least five different device lines. It cannot be ruled out that other models built on a similar web server codebase also contain this backdoor, although available sources do not provide confirmed evidence of that.

Impact assessment

Successful exploitation of CVE-2026-11405 gives an attacker full administrative control over the device. Potential consequences include:

  • Unauthorized modification of router configuration, including DNS and routing settings
  • Disabling built-in security features such as the firewall and content filtering
  • Traffic redirection for data interception
  • Using the compromised device as an entry point into the local network

The affected Tenda router lines are widely used in the SOHO segment (small office and home office). Devices in this class are often operated without regular firmware updates and with remote management enabled, which increases the attack surface. It is worth noting that a CVSS score had not been assigned to this vulnerability at the time of publication, and available sources contain no information about confirmed exploitation in real-world attacks.

Why this is concerning

The nature of this vulnerability merits special attention. This is not a typical programming error—such as a buffer overflow or improper input validation—but a deliberately implemented alternative authentication mechanism. The presence of a separate “rzadmin” account with its own password storage in the configuration, cleartext comparison, and lack of username verification all point to an intentional design decision. Whether this was introduced for debugging, technical support, or some other reason remains an open question in the absence of an official comment from Tenda. The vulnerability was discovered by an anonymous researcher, and according to available information, the vendor has not responded.

Mitigation recommendations

Since no patch is available, the only option is to minimize the attack surface:

  • Immediately disable remote management (Remote Management / Web Access from WAN) on all affected devices. This will prevent exploitation from the internet
  • Change the default LAN interface IP address of the router (typically 192.168.0.1 or 192.168.1.1) to a non-standard address to reduce the likelihood of discovery by automated scanners
  • Review device logs for suspicious login attempts using unusual usernames, which may indicate attempts to exploit the backdoor
  • Consider replacing the device with a router from a vendor that has a proven track record of releasing security updates, especially if the device is used in a business environment

Owners of the affected Tenda models should assume that a patch may never be released—this vendor’s history of responding to vulnerabilities does not inspire confidence. The top priority is to disable remote access to the web interface immediately. For organizations using these devices in production, a prudent strategy is to plan a migration to equipment with a transparent security policy and a regular update cycle.


CyberSecureFox Editorial Team

The CyberSecureFox Editorial Team covers cybersecurity news, vulnerabilities, malware campaigns, ransomware activity, AI security, cloud security, and vendor security advisories. Articles are prepared using official advisories, CVE/NVD data, CISA alerts, vendor publications, and public research reports. Content is reviewed before publication and updated when new information becomes available.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.