RC RANDOM CHAOS

Hidden backdoor in Tenda router firmware grants unauthenticated admin access

· via Hacker News

Original source

Tenda firmware (multiple versions) contains hidden authentication backdoor

Hacker News →

Multiple versions of Tenda networking firmware ship with an undocumented authentication backdoor, tracked as CVE-2026-11405, that hands full administrative control of the device’s web interface to anyone who knows a single secret password. The flaw lives in the login() function of the /bin/httpd web server binary: when normal MD5-based password checks fail, the code falls back to reading an alternate value from the ‘sys.rzadmin.password’ configuration key and does a plaintext strcmp() against whatever the attacker submitted. A match grants role=2 admin privileges and mints a valid session. Because the username is never checked, any username paired with the backdoor password works, and nothing about the mechanism is exposed through the normal admin UI.

Confirmed affected images span popular Tenda models including the AC5, AC6, AC10, W15E, and FH1201. An attacker who reaches the management interface can reconfigure the device, rewrite network settings, and switch off security features—turning a single router into a foothold for compromising the entire local network. Tenda also sells switches, access points, and surveillance gear built on similar firmware, which broadens the potential blast radius.

There is no patch. CERT/CC says it could not reach the vendor to coordinate disclosure, so the only defenses on offer are mitigations: disable remote web management so external attackers can’t reach the dashboard, and change the default LAN IP to slow opportunistic scanners—though that won’t stop a targeted attacker already on the network. A hardcoded fallback credential shipped in production firmware is close to worst-case for consumer network hardware, and the lack of vendor response leaves owners exposed indefinitely.

Read the full article

Continue reading at Hacker News →

This is an AI-generated summary. Read the original for the full story.