Tenda Firmware CVE-2026-11405 Authentication Backdoor
Tenda Firmware CVE-2026-11405 Authentication Backdoor
Overview
Multiple versions of Tenda firmware contain an undocumented authentication backdoor that grants full administrative access to the devices' web management interfaces. Tracked as CVE-2026-11405, this vulnerability allows an attacker to bypass standard password verification and obtain complete control of the device without valid user credentials.
Technical Analysis of the Backdoor
The vulnerability exists within the web server binary /bin/httpd specifically inside the login() function. While the system initially attempts a standard MD5-based password verification, it employs a fallback mechanism if that authentication fails.
The Authentication Bypass Mechanism
- Fallback Trigger: If the primary MD5 authentication fails, the
login()function invokesGetValue("sys.rzadmin.password")to retrieve an alternate password stored in the device configuration. - Plaintext Comparison: The system performs a direct
strcmp()comparison between the user-supplied password and the stored value in plaintext. - Administrative Grant: A successful match grants the user
role=2(admin-level access) and establishes a valid session. - Username Irrelevance: The associated username is not validated; any username paired with the backdoor password will grant access.
Community analysis suggests the backdoor password is likely "rzadmin". Further investigation into unencrypted firmware (such as US_W18EV2_kf_V16.01.0.20) revealed configuration files (default_ac.cfg and default_router.cfg) where sys.rzadmin.password is stored as a Base64 encoded string (cnphZG1pbg==), which decodes to "rzadmin".
Affected Firmware Versions
The following Tenda firmware versions are explicitly identified as vulnerable:
US_FH1201V1.0BR_V1.2.0.14(408)_EN_TDUS_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDEUS_AC10V1.0re_V15.03.06.46_multi_TDE01US_AC5V1.0RTL_V15.03.06.48_multi_TDE01US_AC6V2.0RTL_V15.03.06.51_multi_T
Impact and Risk
Successful exploitation grants an attacker full administrative control over the device's web interface. This allows for the reconfiguration of network settings, disabling of security features, and potential lateral movement to compromise other devices on the local network.
Beyond the primary backdoor, community researchers have noted other concerning findings in Tenda binaries, including a function imsd_remote_pwd_get in /bin/imsd that retrieves the administrator password, and a library /lib/lubucapi.so that may facilitate cloud management or remote debugging.
Mitigation Strategies
As CERT/CC was unable to coordinate a fix with the vendor, no official patch is currently available. Users are advised to implement the following workarounds:
- Disable Remote Management: Turn off the feature that allows the web management interface to be accessed from the internet (WAN side).
- Restrict Local Exposure: Change the default LAN IP address to make the device less susceptible to automated scanners targeting default IP ranges.
- Replace Firmware: Where possible, install open-source alternatives like OpenWRT to remove vendor-provided "black box" firmware.
Community Perspective
Technical discussions regarding this vulnerability highlight a divide between those who view this as a malicious backdoor and those who see it as a remnant of developer testing.
"This looks less like a 'backdoor' (implies malicious...) and more like a developer access credential/default credential that was burned into the firmware... you get lazy and dont run that extra step and this slips in."
Other contributors argue that the lack of sophistication suggests incompetence rather than a state-sponsored effort, while emphasizing that the result—unauthorized administrative access—remains a critical security failure regardless of intent.