The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password. A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
History

Mon, 13 Jul 2026 02:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287
CWE-912

Fri, 10 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-287
CWE-912

Fri, 10 Jul 2026 02:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
CWE-287

Wed, 08 Jul 2026 21:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-256
CWE-287

Wed, 08 Jul 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Wed, 08 Jul 2026 05:45:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
CWE-287

Tue, 07 Jul 2026 06:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
CWE-287

Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password. A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
Title Hidden backdoor authentication mechanism in multiple versions of Tenda firmware allows admin access to web management interface
References

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published: 2026-07-06T19:17:07.891Z

Updated: 2026-07-08T13:40:24.471Z

Reserved: 2026-06-05T18:12:15.445Z

Link: CVE-2026-11405

cve-icon Vulnrichment

Updated: 2026-07-06T20:37:55.739Z

cve-icon NVD

No data.

cve-icon Redhat

No data.