Tenda Firmware CVE-2026-11405 Authentication Backdoor

Tenda Firmware CVE-2026-11405 Authentication Backdoor

Overview

Multiple versions of Tenda firmware contain an undocumented authentication backdoor that grants full administrative access to the devices' web management interfaces. Tracked as CVE-2026-11405, this vulnerability allows an attacker to bypass standard password verification and obtain complete control of the device without valid user credentials.

Technical Analysis of the Backdoor

The vulnerability exists within the web server binary /bin/httpd specifically inside the login() function. While the system initially attempts a standard MD5-based password verification, it employs a fallback mechanism if that authentication fails.

The Authentication Bypass Mechanism

  1. Fallback Trigger: If the primary MD5 authentication fails, the login() function invokes GetValue("sys.rzadmin.password") to retrieve an alternate password stored in the device configuration.
  2. Plaintext Comparison: The system performs a direct strcmp() comparison between the user-supplied password and the stored value in plaintext.
  3. Administrative Grant: A successful match grants the user role=2 (admin-level access) and establishes a valid session.
  4. Username Irrelevance: The associated username is not validated; any username paired with the backdoor password will grant access.

Community analysis suggests the backdoor password is likely "rzadmin". Further investigation into unencrypted firmware (such as US_W18EV2_kf_V16.01.0.20) revealed configuration files (default_ac.cfg and default_router.cfg) where sys.rzadmin.password is stored as a Base64 encoded string (cnphZG1pbg==), which decodes to "rzadmin".

Affected Firmware Versions

The following Tenda firmware versions are explicitly identified as vulnerable:

  • US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
  • US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
  • US_AC10V1.0re_V15.03.06.46_multi_TDE01
  • US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
  • US_AC6V2.0RTL_V15.03.06.51_multi_T

Impact and Risk

Successful exploitation grants an attacker full administrative control over the device's web interface. This allows for the reconfiguration of network settings, disabling of security features, and potential lateral movement to compromise other devices on the local network.

Beyond the primary backdoor, community researchers have noted other concerning findings in Tenda binaries, including a function imsd_remote_pwd_get in /bin/imsd that retrieves the administrator password, and a library /lib/lubucapi.so that may facilitate cloud management or remote debugging.

Mitigation Strategies

As CERT/CC was unable to coordinate a fix with the vendor, no official patch is currently available. Users are advised to implement the following workarounds:

  • Disable Remote Management: Turn off the feature that allows the web management interface to be accessed from the internet (WAN side).
  • Restrict Local Exposure: Change the default LAN IP address to make the device less susceptible to automated scanners targeting default IP ranges.
  • Replace Firmware: Where possible, install open-source alternatives like OpenWRT to remove vendor-provided "black box" firmware.

Community Perspective

Technical discussions regarding this vulnerability highlight a divide between those who view this as a malicious backdoor and those who see it as a remnant of developer testing.

"This looks less like a 'backdoor' (implies malicious...) and more like a developer access credential/default credential that was burned into the firmware... you get lazy and dont run that extra step and this slips in."

Other contributors argue that the lack of sophistication suggests incompetence rather than a state-sponsored effort, while emphasizing that the result—unauthorized administrative access—remains a critical security failure regardless of intent.

Sources