{"document":{"acknowledgments":[{"urls":["https://kb.cert.org/vuls/id/213560#acknowledgements"]}],"category":"CERT/CC Vulnerability Note","csaf_version":"2.0","notes":[{"category":"summary","text":"### Overview\r\nSeveral versions of Tenda firmware contain an undocumented authentication backdoor that grants administrative access to the devices' web management interfaces. An attacker can expoit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials.\r\n\r\nAffected Versions: \r\n* US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD\r\n* US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE\r\n* US_AC10V1.0re_V15.03.06.46_multi_TDE01\r\n* US_AC5V1.0RTL_V15.03.06.48_multi_TDE01\r\n* US_AC6V2.0RTL_V15.03.06.51_multi_T\r\n\r\n### Description\r\nTenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment. Most of these devices include web-based interfaces that allow users to perform configuration and management operations, which are protected by username/password authentication to prevent unauthorized modifications. \r\n\r\nThe web server binary `/bin/httpd` contains an undocumented backdoor authentication mechanism in the `login()` function. Initially, the function follows a normal authentication path using MD5-based password verification. However, if authentication fails, the function invokes `GetValue(\"sys.rzadmin.password\")` to retrieve an alternate password value from the device configuration. It then performs a direct `strcmp()` comparison in plaintext between the user-supplied password and the configuration-stored value. A successful match grants `role=2` admin-level access and creates a valid session. \r\n\r\nThe associated username is not validated, so any provided username will succeed when paired with the backdoor password. This backdoor authentication mechanism is not documented or visible through any administrative interface.\r\n\r\n### Impact\r\nSuccessful exploitation grants full administrative access to the device's web interface, regardless of the configured administrator account credentials. With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network.\r\n\r\n### Solution\r\nUnfortunately, we were unable to reach the vendor to coordinate this vulnerability. Since a patch is unavailable, we can only offer mitigation strategies. The following workarounds can help mitigate this vulnerability's impact until a fixed version is released:\r\n\r\n**Disable remote management on your device**\r\nIf your device supports remote web management, disable it. Disabling this feature prevents attackers on external networks from accessing your device’s administrative dashboard over the internet.\r\n\r\n**Restrict local network exposure**\r\nChanging the default LAN IP address may reduce opportunistic discovery by automated scanners that target known default IP ranges. Note that this measure does not prevent deliberate or targeted network scanning.\r\n\r\n### Acknowledgements\r\nThanks to the reporter who wishes to remain anonymous. This document was written by Bob Kemerer.","title":"Summary"},{"category":"legal_disclaimer","text":"THIS DOCUMENT IS PROVIDED ON AN 'AS IS' BASIS AND DOES NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE INFORMATION ON THE DOCUMENT OR MATERIALS LINKED FROM THE DOCUMENT IS AT YOUR OWN RISK. ","title":"Legal Disclaimer"},{"category":"other","text":"CERT/CC Vulnerability Note is a limited advisory. It primarily identifies vendors impacted by the advisory and not specific products. We only support \"known_affected\" and \"known_not_affected\" status. Please consult the vendor's statements and advisory URL if provided by the vendor for more details ","title":"Limitations of Advisory"}],"publisher":{"category":"coordinator","contact_details":"Email: cert@cert.org, Phone: +1412 268 5800","issuing_authority":"CERT/CC under DHS/CISA https://www.cisa.gov/cybersecurity also see https://kb.cert.org/ ","name":"CERT/CC","namespace":"https://kb.cert.org/"},"references":[{"url":"https://certcc.github.io/certcc_disclosure_policy","summary":"CERT/CC vulnerability disclosure policy"},{"summary":"CERT/CC document released","category":"self","url":"https://kb.cert.org/vuls/id/213560"},{"url":"https://www.cisa.gov/audiences/high-risk-communities/projectupskill/module5","summary":"https://www.cisa.gov/audiences/high-risk-communities/projectupskill/module5"},{"url":"https://www.tendacn.com/download/","summary":"https://www.tendacn.com/download/"},{"url":"https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF","summary":"https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF"}],"title":"Tenda firmware (multiple versions) contains hidden authentication backdoor","tracking":{"current_release_date":"2026-07-06T19:22:18+00:00","generator":{"engine":{"name":"VINCE","version":"3.0.43"}},"id":"VU#213560","initial_release_date":"2026-07-06 19:22:18.221254+00:00","revision_history":[{"date":"2026-07-06T19:22:18+00:00","number":"1.20260706192218.1","summary":"Released on 2026-07-06T19:22:18+00:00"}],"status":"final","version":"1.20260706192218.1"}},"vulnerabilities":[{"title":"The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.","notes":[{"category":"summary","text":"The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.\r\n\r\n- The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key).\r\n- After normal authentication fails, it calls GetValue(\"sys.rzadmin.password\") to read a backdoor password from the device configuration.\r\n- It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password.\r\n\r\nA successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor"}],"cve":"CVE-2026-11405","ids":[{"system_name":"CERT/CC V Identifier ","text":"VU#213560"}]}],"product_tree":{"branches":[]}}