The Tenda Firmware Backdoor and the Cost of Silent Vendors
A hardcoded fallback in Tenda routers bypasses authentication entirely, leaving administrators with no choice but to isolate or replace devices.
Embedded systems security often suffers from a legacy of debug code left in production. The latest reminder is CVE-2026-11405, a critical vulnerability affecting multiple Tenda router firmware versions. This is not a standard buffer overflow or a complex cryptographic bypass. It is an undocumented, hardcoded authentication backdoor embedded directly within the device's web server binary.
Because the CERT Coordination Center was unable to establish contact with the vendor to coordinate a patch, network administrators and developers managing these environments cannot wait for an upstream fix. The backdoor is already being actively probed in the wild, meaning immediate isolation or hardware replacement is the only viable path forward.
The Anatomy of the Fallback
The vulnerability resides in the /bin/httpd binary, which serves the web management interface for several Tenda models, including the FH1201, W15E, AC10, AC5, AC6 V2, F3, and N300.
When a user attempts to log in, the login() function executes. Under normal circumstances, the application performs standard MD5-based password verification. However, the developers of this firmware implemented a fallback mechanism. If the MD5 verification fails, the binary executes a secondary check.
Specifically, the function calls GetValue("sys.rzadmin.password") to retrieve an alternate password string stored in the device's configuration (likely NVRAM). It then performs a direct, plaintext strcmp() comparison between the user-supplied password and this configuration value.
// Conceptual representation of the backdoor logic in /bin/httpd
int login(char *username, char *password) {
if (verify_md5_password(username, password) == AUTH_SUCCESS) {
return grant_access(role_user);
}
// Fallback backdoor path
char *backdoor_pass = GetValue("sys.rzadmin.password");
if (backdoor_pass != NULL && strcmp(password, backdoor_pass) == 0) {
// Bypasses username validation entirely
return grant_access(role_admin); // Grants role=2 administrative access
}
return AUTH_FAILED;
}
If the strings match, the application grants role=2 administrative access and establishes a valid session. Crucially, the associated username is never validated. Any username paired with the backdoor password will successfully authenticate. This design bypasses standard access controls, rendering any user-configured administrator password useless if an attacker knows or retrieves the sys.rzadmin.password value.
Exploitation and the UDP 7329 Vector
While the backdoor requires knowing the configuration-stored password, the attack surface is significantly wider than it appears. Automated scanning activity has been observed targeting these devices.
Attackers are leveraging a public Nmap NSE script (tenda-backdoor.nse) designed to automate detection and exploitation. This script targets UDP port 7329, a port historically associated with Tenda's management and diagnostic protocols. Through this port, attackers can probe for the presence of the backdoor, check configuration keys, and potentially extract the plaintext password needed to log into the web interface.
Reports from the field indicate that compromised routers are already exhibiting signs of exploitation, including outbound connections to suspicious external infrastructure and the creation of unauthorized files on the local filesystem.
The Developer and Ops Playbook
Because there is no official patch, standard vulnerability management workflows do not apply here. If you have these devices in your inventory, you must assume they are highly vulnerable or already compromised.
1. Audit and Detect
If you run automated network scans, update your toolsets to actively probe for UDP port 7329. You can use Nmap to identify exposed interfaces across your subnets:
nmap -sU -p 7329 --script tenda-backdoor <target-subnet>
Additionally, if you have shell access to these devices or are analyzing firmware images, check the configuration database for the presence of the sys.rzadmin.password key.
2. Mitigate Immediately
If you cannot immediately decommission the hardware, implement these strict mitigations:
- Disable Remote Management: Ensure the web administration interface is completely inaccessible from the WAN side.
- Isolate the Management VLAN: Move the administrative interface off the main local network. Changing the default LAN IP address (e.g., away from
192.168.0.1) reduces opportunistic discovery by basic automated scripts, but it will not stop a targeted scanner. The interface must be firewalled and restricted to trusted administrative hosts. - Monitor Outbound Traffic: Set up egress filtering rules to flag or block unexpected outbound connections originating from the router's IP address itself.
The Reality of Firmware Debt
For developers building embedded Linux distributions or IoT firmware, CVE-2026-11405 is a classic case study in why fallback authentication paths must be banned during the design phase.
Hardcoded accounts or fallback configuration checks are often introduced during development to simplify testing, debugging, or remote support (the "rz" in rzadmin likely points to a specific vendor support tool). However, when these mechanisms rely on plaintext comparisons and bypass standard AAA (Authentication, Authorization, and Accounting) pipelines, they inevitably become security liabilities.
Modern firmware development pipelines should incorporate static analysis tools to flag plaintext string comparisons (strcmp, strncmp) occurring within authentication functions, and automated binary scanning to ensure debug configuration keys do not make it into production builds.
Sources & further reading
- Tenda firmware (multiple versions) contains hidden authentication backdoor — kb.cert.org
- CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware — thehackernews.com
- Hidden backdoor in Tenda router firmware grants admin access — bleepingcomputer.com
- Active Exploitation Alert: Hidden Admin Backdoor (CVE-2026-11405) in Tenda Router Firmware Enables Unauthenticated Remote Access – Rescana — rescana.com
Ji-ho covers the increasingly tangled overlap between cloud architecture and security, drawing on a background as a penetration tester to keep his reporting grounded in real-world attack paths. He never lets a vendor claim go unquestioned and insists that every buzzword come with a proof of concept.
Discussion 0
No comments yet
Be the first to weigh in.