Unauthenticated Flaw Allows Full Router, Network Takeover

A significant security flaw has been uncovered in the firmware of Tenda routers, a popular product line from the Chinese networking hardware manufacturer. The newly identified backdoor grants unauthenticated administrative access to devices through their web management interfaces, posing a severe risk to users.
This security vulnerability is traced to an undocumented component embedded within the web server binary /bin/httpd. Designated as CVE-2026-11405, this flaw lurks in the login() function and specifically allows access without any validated credentials. Normally, hardware systems that rely on web-based interfaces utilize username and password protections to prevent unauthorized modifications. However, this hidden backdoor exploits the firmware’s usual authentication channels to facilitate illicit access.
The details of the exploitation process, as reported by the CERT Coordination Center from Carnegie Mellon University, reveal that the attack begins with a conventional MD5-based password validation method. In instances where authentication fails, the backdoor reroutes to an alternate code sequence. It employs GetValue("sys.rzadmin.password") to generate a new password from the device’s configuration files, effectively circumventing the need for valid credentials.
This flaw operates in plaintext, with a strcmp() operation comparing the user-supplied password against the one stored in the device’s configuration. If these values align, the user is granted role=2 admin-level access, consequently establishing a valid session. According to CERT/CC, the username “rzadmin” is associated with this backdoor and notably is not subjected to any validation. This means that users can utilize any username while gaining access, provided they pair it with a correctly generated password from the backdoor.
Despite its potential consequences, the vulnerability does not currently possess a CVSS score and is conspicuously absent from the CISA-managed Known Exploited Vulnerabilities catalog. However, researchers note that should an attacker successfully exploit this flaw, they would gain the ability to completely reconfigure affected devices. This includes modifying network settings and disabling security mechanisms, which could ultimately lead to broader network compromises.
Although there is no official listing in CISA’s catalog, evidence of exploitation has emerged in the cybersecurity landscape. Notably, the cybersecurity firm Rescana has reported ongoing active exploitation of this vulnerability. They disclosed findings revealing that unauthorized entities are actively scanning for this flaw.
Intriguingly, a public Nmap NSE script, identified as tenda-backdoor.nse, has been utilized to automate the detection and exploitation of vulnerable routers. By scanning UDP port 7329, this script significantly expands the potential attack surface, raising alarm bells within the cybersecurity community.
Network traffic associated with this backdoor reflects unusual activity, with suspicious external IP addresses reaching out to contact routers and “storing unexplained files.” Furthermore, there is evidence of outbound connections observed between compromised routers and dubious external infrastructure. The methodology of this attack typically involves credential interception, session hijacking, and deploying unauthorized code onto affected devices.
As it stands, there are no patches available for this critical vulnerability. However, experts advise Tenda device users to disable remote management functionalities and alter the default LAN IP address. This measure could substantially mitigate network exposure, minimizing the risks associated with automated scanning that targets common exploitable IP ranges.
In the interim, until a patch is released and the firmware is updated, users are encouraged to isolate management interfaces and monitor their networks for unauthorized access attempts targeting UDP port 7329. Additionally, a thorough review of current router configurations should be performed, specifically checking for the inclusion of sys.rzadmin.password.
This vulnerability is known to impact various router models, including the FH1201, W15E, AC10, AC5, and AC6 families. The issue was first disclosed by an anonymous researcher who reported it through CERT/CC, thus alerting Tenda to the pressing security threat.