
Tenda Firmware Backdoor Bypasses MD5 Auth via Hardcoded rzadmin Plaintext Check in /bin/httpd
Undocumented rzadmin bypass in Tenda firmware enables unauthenticated admin access on widely deployed models. Evidence points to systemic supply-chain reuse rather than one-off oversight. Continued absence of patches or transparency leaves home and SMB networks exposed to remote reconfiguration.
The vulnerability sits inside the login() function of the web server binary shipped with US_FH1201, W15E, AC10, AC5, and AC6 models. After failed MD5 verification, code falls through to fetch a config-stored value and performs direct string comparison without username validation. Any supplied username paired with the backdoor password yields an elevated session. No interface exposes or documents the mechanism.
CERT/CC received the report from an anonymous researcher; the affected firmware strings and binary offsets match patterns seen in prior Tenda supply-chain disclosures from 2022-2024. Procurement records show these SKUs remain in wide distribution through US retail channels and small-business integrators despite repeated similar findings. The absence of signed firmware updates or SBOM references in vendor contracts leaves downstream operators without verifiable remediation paths.
This backdoor is structurally distinct from typical debug accounts: it activates only on primary auth failure and reuses existing session creation logic, lowering detection thresholds for both network scanners and endpoint telemetry. Comparable hidden credentials have appeared across multiple Chinese OEM router lines, suggesting shared firmware templates rather than isolated developer error.
Operators should immediately restrict WAN management and monitor for unexpected config pushes. No patch timeline has been published; independent binary diffing of future releases against the listed hashes will be required to confirm removal.
Tenda: No firmware update addressing CVE-2026-11405 released for listed models within 120 days
Sources (2)
- [1]Primary Source(https://kb.cert.org/vuls/id/XXXXXXX)
- [2]Supporting Source(https://nvd.nist.gov/vuln/detail/CVE-2026-11405)