CVE-2026-11405
N/A
N/A
Summary
The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.
- The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key).
- After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration.
- It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password.
A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
Affected Software
| Vendor | Product | Version Range | Status |
|---|---|---|---|
| Tenda | firmware | US_AC6V2.0RTL_V15.03.06.51_multi_T | affected |
| Tenda | firmware | US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 | affected |
| Tenda | firmware | US_AC10V1.0re_V15.03.06.46_multi_TDE01 | affected |
| Tenda | firmware | US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE | affected |
| Tenda | firmware | US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD | affected |
Weaknesses
- CWE-912: Hidden Functionality
ADP Enrichment
CVE Program Container
Additional References
References
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.