Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices’ web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday.
“An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials,” the CERT/CC said in an alert.
The vulnerability impacts multiple versions of the firmware –
- US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
- US_AC10V1.0re_V15.03.06.46_multi_TDE01
- US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
- US_AC6V2.0RTL_V15.03.06.51_multi_T
The backdoor functionality is present within the “login()” function of the “/bin/httpd” web server binary. While the method initially follows a normal authentication path using MD5-based password verification, it activates an alternate code path if the authentication fails.
Specifically, this involves calling “GetValue(“sys.rzadmin.password”)” to fetch an alternate password value from the device configuration, and performing a direct plaintext comparison between the user-supplied password and the configuration-stored value. Should these values match, the application grants admin-level access (role=2) and creates a valid session with elevated privileges.
“The associated [“rzadmin”] username is not validated, so any provided username will succeed when paired with the backdoor password,” the CERT/CC said. “This backdoor authentication mechanism is not documented or visible through any administrative interface.”
Successful exploitation of this standard username validation override allows full administrative access to the device’s web interface regardless of the administrator account credentials. It can permit an attacker to make unauthorized remote modification of settings, disable security features, or reconfigure the device, potentially leading to a complete device takeover.
The vulnerability, reported by an anonymous researcher, remains unpatched as of writing. The Hacker News has contacted Tenda for comment, and we will update the story if we hear back.
In the interim, users are advised to disable remote management on the device and change the default LAN IP address to prevent bad actors from reaching it and reduce opportunistic discovery by automated scanners that target known default IP ranges.
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
