The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.
- The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key).
- After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration.
- It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password.
A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
Metrics
Affected Vendors & Products
References
History
Mon, 13 Jul 2026 02:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-287 CWE-912 |
Fri, 10 Jul 2026 15:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-287 CWE-912 |
Fri, 10 Jul 2026 02:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-256 CWE-287 |
Wed, 08 Jul 2026 21:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-256 CWE-287 |
Wed, 08 Jul 2026 14:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Metrics |
cvssV3_1
|
Wed, 08 Jul 2026 05:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-250 CWE-287 |
Tue, 07 Jul 2026 06:00:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Weaknesses | CWE-250 CWE-287 |
Mon, 06 Jul 2026 19:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password. A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor | |
| Title | Hidden backdoor authentication mechanism in multiple versions of Tenda firmware allows admin access to web management interface | |
| References |
|
Status: PUBLISHED
Assigner: certcc
Published: 2026-07-06T19:17:07.891Z
Updated: 2026-07-08T13:40:24.471Z
Reserved: 2026-06-05T18:12:15.445Z
Link: CVE-2026-11405
Updated: 2026-07-06T20:37:55.739Z
No data.
No data.