Unauthenticated Flaw Allows Full Router, Network Takeover
A critical vulnerability has emerged within the firmware sold by the Chinese networking hardware manufacturer Tenda, raising alarms about the potential for significant security risks. This flaw, characterized as a hidden backdoor, enables unauthorized administrative access and control over affected devices through the web management interfaces.
The flaw, identified as CVE-2026-11405, is embedded in the web server binary located at /bin/httpd. It resides within the login() function and notably requires no validated credentials for access. Typically, hardware that relies on web-based interfaces is protected through username and password authentication, which helps to prevent unauthorized configuration changes and alterations to system settings. However, this backdoor exploits the firmware’s existing authentication pathways, presenting a severe security threat to users of Tenda products.
The exploit begins with a standard MD5-based password verification mechanism. When a user attempts to log in but fails to authenticate, the backdoor activates an alternative code path. It uses the function GetValue("sys.rzadmin.password") to retrieve a new password directly from the device’s configuration, thereby bypassing conventional authentication checks. This sequence initiates a strcmp() comparison between the password supplied by the user and the value stored in the device’s configuration. If they match, the user is granted admin-level access, creating a valid session despite the initial authentication failure.
According to the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, the username "rzadmin" associated with this backdoor is not subject to any validation. Therefore, any username entered can be paired with the unauthorized backdoor-generated values to gain access. CERT/CC has stated that this backdoor authentication mechanism remains undocumented and invisible through any administrative interface, highlighting the severity of the security breach.
Currently, this flaw does not have a Common Vulnerability Scoring System (CVSS) score and is not listed in the Cybersecurity and Infrastructure Security Agency (CISA) managed catalog of Known Exploited Vulnerabilities. However, should the vulnerability be exploited successfully, it would enable attackers to fully recast device configurations. This includes the ability to alter essential network settings and deactivate security features, thus potentially leading to widespread network compromise.
Cybersecurity firm Rescana has reported that exploitation of this hidden backdoor is already being observed in the wild. Researchers have identified that a publicly available Nmap NSE script—designated as tenda-backdoor.nse—is drastically expanding the attack vector for hackers. This script automates the detection and exploitation process via UDP port 7329, effectively scanning for devices vulnerable to this flaw.
Further investigations into traffic patterns surrounding the vulnerability have revealed suspicious communications from external IP addresses attempting to contact routers. These interactions appear to involve the unaccounted storage of files within routers and outbound connections from compromised devices to dubious external infrastructures. The backdoor appears to follow a recognizable attack trajectory, which includes credential interception, session hijacking, and unauthorized code deployment onto vulnerable devices.
As of now, no patch for this vulnerability has been released. In light of this, users are urged to take immediate action by disabling remote management features on affected Tenda devices and altering the default LAN IP address. These precautions will help limit network exposure and diminish the impact of computerized scans that exploit default, readily identifiable IP ranges. Additionally, users should focus on segmenting management interfaces and closely monitor network activity for any unauthorized access attempts targeting UDP port 7329. It is highly advisable to review current router configurations for any instance of sys.rzadmin.password that might exist.
The vulnerability currently affects several router families, including the FH1201, W15E, AC10, AC5, and AC6 series. This alarming issue was initially reported by an unnamed researcher who utilized CERT/CC to inform Tenda of the ongoing threat posed by this hidden backdoor.
In summary, the discovery of this serious flaw in Tenda’s firmware underscores the necessity of heightened vigilance regarding network security. As cyber threats continue to evolve, the implications of such vulnerabilities highlight the critical need for manufacturers to prioritize security measures in their products and ensure users are equipped with the means to protect their networks effectively.
