Hidden Backdoor Vulnerability Found in Tenda Router Firmware — Vendor Yet to Respond or Issue Patch
The US CERT/CC disclosed a critical authentication backdoor vulnerability (CVE-2026-11405) in multiple Tenda router firmware versions on July 6. Affected models include the FH1201, W15E, AC10, AC5, and AC6 series. The flaw allows attackers to gain full administrator access without valid credentials. No patch is available, and Tenda has not responded to CERT/CC's disclosure attempts.

Highlights
- CERT/CC disclosed CVE-2026-11405 on July 6, 2025 — a critical undocumented authentication backdoor affecting Tenda router firmware across at least five models including FH1201, W15E, AC10, AC5, and AC6.
- The backdoor allows any attacker to obtain full administrator privileges without valid credentials by supplying a hidden internal password stored in the config key `sys.rzadmin.password`, with no username validation required.
- Tenda has not issued a firmware patch and has not responded to CERT/CC's coordinated disclosure attempts, leaving all affected users without an official fix.
- CERT/CC recommends disabling remote web management and changing the router's default LAN IP address as interim mitigations while awaiting a vendor patch.
- The disclosure mirrors FCC supply chain security concerns that led to certain foreign-manufactured networking products being added to the agency's Covered List in March 2025, barring their import and sale in the US.
Hidden Backdoor Found in Tenda Router Firmware — CERT/CC Warns No Patch Available
The CERT Coordination Center (CERT/CC), a government cybersecurity body operated by Carnegie Mellon University's Software Engineering Institute, disclosed a critical firmware vulnerability on July 6 that allows attackers to seize full administrative control over multiple Tenda networking devices. Tracked as CVE-2026-11405, the flaw is an undocumented authentication backdoor embedded in the firmware of affected models, capable of bypassing the normal login process and granting access to the web management interface without requiring valid credentials. Making matters worse, no security patch is currently available — the Shenzhen-based budget networking brand, which holds significant market share in markets such as India, has not responded to CERT/CC's disclosure attempts.
Affected Models and Vulnerability Details
CERT/CC identified five affected firmware versions, spanning the FH1201, W15E, AC10, AC5, and AC6 router series. The advisory was submitted by an anonymous researcher and does not treat this list as exhaustive; given the vendor's silence, the actual scope of affected devices may be broader.
According to the advisory, the vulnerability resides in the router's built-in web server: an undocumented authentication code path that grants administrative access without requiring the administrator password.
How It Works: A Dual Authentication Path
Like most consumer routers, Tenda devices provide a password-protected web management interface for configuring Wi-Fi, firewall rules, DNS servers, firmware updates, port forwarding, parental controls, and other core network functions. Because these interfaces control most router operations, they are typically gated by authentication to prevent unauthorized changes that could compromise an entire home or business network.
According to the advisory, the affected firmware initially performs a normal authentication check, verifying the administrator password using a standard MD5 hash. However, when that verification fails, the login process silently branches to a second, undocumented code path — rather than immediately rejecting the login, the firmware retrieves a separate internally stored password from the configuration key sys.rzadmin.password and compares it directly against user input using the standard C library function strcmp().
If the entered password matches this hidden value, the firmware immediately establishes a valid administrator session with full privileges. More troublingly, the username is never validated — meaning any username combined with the hidden password will succeed, effectively bypassing the router's configured administrator account entirely.
Intentional Backdoor or Development Artifact? Intent Unclear
CERT/CC did not publicly disclose the hidden password itself, but the existence of an undocumented second authentication path significantly undermines the security model of affected devices. Unlike conventional authentication vulnerabilities that stem from implementation errors, this issue constitutes a separate login path — not a flaw in an existing one — granting administrative access via credentials that are neither documented nor exposed through the management interface. Whether this was deliberately implanted or is a leftover from the development process remains unknown. CERT/CC made no conclusions regarding intent, and Tenda's silence has done nothing to clarify the matter.
Potential Impact if Exploited
Successful exploitation would give an attacker full control over router configuration, enabling them to:
- Modify network settings
- Change DNS servers, redirecting network traffic
- Disable security protections
- Replace administrator credentials
- Enable additional remote access features
Because routers serve as the gateway between local devices and the internet, a compromised router puts every connected device on the network at risk of further attacks.
CERT/CC's Recommended Mitigations
While awaiting an official firmware update from Tenda, CERT/CC recommends:
- Disable remote web management wherever possible, to prevent attackers from accessing the management interface over the internet.
- Limit local network exposure; while changing the router's default LAN IP address can reduce opportunistic scanning by automated tools, it will not stop a targeted attacker conducting active network reconnaissance.
Supply Chain Security Concerns Resurface
This disclosure echoes concerns raised by the US Federal Communications Commission (FCC) when it added certain foreign-manufactured networking products to its Covered List in March of this year — a designation that bars such products from receiving authorization for import and sale in the United States. The FCC has argued that compromised consumer routers can give attackers a persistent foothold inside home and small business networks.
An undocumented administrator backdoor in a widely sold networking device, combined with a vendor that has neither patched the flaw nor responded to the disclosure, is precisely the type of supply chain security risk that regulators have been working to address.
原文來源: 查看原文
FAQ
Newsletter
Subscribe to our Low-Altitude Industry Newsletter
Daily curated news on low-altitude economy and drone industry, delivered to your inbox.
Reviewed and published by the LAETimes editorial desk ·


