๐Ÿ” CVE Alert

CVE-2026-11405

CRITICAL 9.8

Hidden backdoor authentication mechanism in multiple versions of Tenda firmware allows admin access to web management interface

CVSS Score
9.8
EPSS Score
0.2%
EPSS Percentile
15th

The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password. A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked โ€” any username works with the backdoor

Vendor tenda
Product firmware
Published Jul 6, 2026
Last Updated Jul 8, 2026
Stay Ahead of the Next One

Get instant alerts for tenda firmware

Be the first to know when new critical vulnerabilities affecting tenda firmware are published โ€” delivered to Slack, Telegram or Discord.

Get Free Alerts โ†’ Free ยท No credit card ยท 60 sec setup

Affected Versions

Tenda / firmware
US_AC6V2.0RTL_V15.03.06.51_multi_T
Tenda / firmware
US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
Tenda / firmware
US_AC10V1.0re_V15.03.06.46_multi_TDE01
Tenda / firmware
US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
Tenda / firmware
US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD

References

NVD โ†— CVE.org โ†— EPSS Data โ†—
cwe.mitre.org: https://cwe.mitre.org/data/definitions/912.html kb.cert.org: https://kb.cert.org/vuls/id/213560 kb.cert.org: https://www.kb.cert.org/vuls/id/213560