Skip to main content

CISA issues advisory on Tenda firmware authentication backdoor

Several Tenda firmware versions contain an undocumented authentication backdoor that grants administrative access to devices’ web management interfaces. The vulnerability, tracked as CVE-2026-11405, allows an attacker to bypass password verification and obtain full administrative control without valid credentials, which can enable an attacker to reconfigure devices and alter network settings.

The affected firmware versions are US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T. The web server binary /bin/httpd includes an undocumented backdoor authentication mechanism in the login() function. The login() function initially follows a normal authentication path using MD5-based password verification, but if authentication fails it calls GetValue(“sys.rzadmin.password”) to retrieve an alternate password value from the device configuration, then performs a direct strcmp() comparison in plaintext between the user-supplied password and the configuration-stored value. A successful match grants role=2 admin-level access and creates a valid session. The associated username is not validated, so any provided username succeeds when paired with the backdoor password. This backdoor authentication mechanism is not documented or visible through any administrative interface.

Successful exploitation grants full administrative access to the device’s web interface regardless of the configured administrator account credentials. With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network.

Coordination with the vendor was not possible, and a patch is unavailable. Mitigation guidance provided states that disabling remote management on devices that support remote web management prevents attackers on external networks from accessing the administrative dashboard over the internet. The guidance also states that changing the default LAN IP address may reduce opportunistic discovery by automated scanners targeting known default IP ranges, and that this measure does not prevent deliberate or targeted network scanning.

Thanks are extended to a reporter who wishes to remain anonymous, and the document was written by Bob Kemerer. Reference links included in the advisory text are https://www.cisa.gov/audiences/high-risk-communities/projectupskill/module5 and https://www.tendacn.com/download/ plus a PDF at https://media.defense.gov/2023/Feb/22/2003165170/-1/-1/0/CSI_BEST_PRACTICES_FOR_SECURING_YOUR_HOME_NETWORK.PDF.