CERT/CC warns of hidden admin backdoor in several Tenda firmware versions

by

The CERT Coordination Center warned Monday that several firmware versions from Chinese network device maker Tenda contain an undocumented authentication backdoor that can give attackers administrative access to web management interfaces, affecting multiple models and tracked as CVE-2026-11405.

KEY FACTS

  • Affected firmware Five firmware builds for Tenda devices were listed in the advisory.
  • Access impact Successful use of the flaw can bypass password checks and create an admin session.
  • Technical path The backdoor is tied to the login() function in the /bin/httpd web server binary.
  • Status The issue was reported by an anonymous researcher and remained unpatched in the disclosure.

The advisory said the normal authentication flow uses MD5-based password verification, but if that check fails the code can switch to an alternate path. That path calls GetValue("sys.rzadmin.password") to fetch a password value from device configuration and compares it directly with the password entered by the user.

If the values match, the device grants admin-level access with role 2 and creates a valid elevated session. The username is not checked for that backdoor path, so any username can work when paired with the stored password.

The disclosure said the mechanism is not documented or visible through any administrative interface. It also said an attacker with access could modify settings, disable security features, reconfigure the device, or take over the system.

Tenda had not released a fix at the time of the disclosure. Users were advised to disable remote management and change the default LAN IP address to reduce exposure to scanners and other opportunistic attacks.

WHY IT MATTERS

A hidden admin path in networking gear can let an attacker take control without knowing a valid account password. That can expose device settings and weaken the security of connected networks until a patch is available.