Tenda Authentication Backdoor Grants Attackers Full Administrative Access
A newly disclosed vulnerability in Tenda network devices exposes a critical authentication backdoor that allows attackers to gain full administrative access without valid credentials.
The flaw affects multiple firmware versions across several Tenda router models, including the FH1201, W15E, AC10, AC5, and AC6 series.
The issue, tracked as CVE-2026-11405, was published by the CERT Coordination Center under Vulnerability Note VU#213560 on July 6, 2026.
These routers are widely used in home and small business environments, where they rely on web-based management interfaces secured by username and password authentication.
According to the advisory, the vulnerability exists within the web server binary located at /bin/httpd. Specifically, the issue lies in the login () function, which contains an undocumented authentication mechanism.
Tenda Backdoor Grants Admin Access
Under normal conditions, the function validates user credentials using an MD5-based password verification process. However, when authentication fails, the function follows an alternate execution path that introduces a hidden backdoor.
This backdoor retrieves a secondary password value from the device configuration using the GetValue(“sys.rzadmin.password”) function.
Instead of applying standard hashing or secure comparison, the system performs a direct plaintext strcmp() comparison between the supplied password and the stored value.
If the comparison succeeds, the system grants administrative privileges by assigning role=2 and creates a valid session.
A critical aspect of this vulnerability is that the username is not validated during this fallback process. This means an attacker can use any arbitrary username alongside the backdoor password to gain full administrative control.
The presence of this mechanism is not documented. It cannot be identified through the standard administrative interface, making it particularly dangerous.
Successful exploitation enables attackers to compromise affected devices fully. With administrative access, attackers can modify network configurations, redirect traffic, turn off security controls, or deploy malicious firmware.
This level of control can facilitate broader attacks, including man-in-the-middle interception, persistence within the network, and lateral movement to other connected systems.
At the time of disclosure, no official patch or firmware update has been released by Tenda, and attempts to coordinate with the vendor were unsuccessful.
As a result, users are advised to take immediate mitigation steps to reduce exposure. Security experts recommend turning off remote web management features to prevent external access to the device’s interface.
Additionally, changing the default local IP address may reduce the likelihood of automated scanning attacks targeting known address ranges. However, it does not stop determined attackers.
The discovery of these hidden backdoors raises serious concerns about firmware security practices and the trustworthiness of the supply chain.
Users and organizations relying on affected Tenda devices should closely monitor for updates and consider replacing vulnerable hardware if no fix becomes available.
Strengthen Your SOC by Accelerating Threat Detection & Rapid Investigations. -> Integrate ANY.RUN With Your SOC Now.
The post Tenda Authentication Backdoor Grants Attackers Full Administrative Access appeared first on Cyber Security News.
Abinaya
Go to cyber-security-news