Description
The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.

- The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key).
- After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration.
- It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password.

A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
Published: 2026-07-06
Score: n/a
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A hidden backdoor authentication mechanism in the Tenda firmware web server allows an attacker to gain administrator roles without proper credentials. The server’s login function first attempts a normal MD5‑based password check but, if it fails, reads a backdoor password stored in the device configuration and compares it directly to supplied password using a plaintext strcmp. Any username is accepted, so providing the backdoor password grants role=2, which equals full administrative access for the web management interface.

Affected Systems

This flaw is present in all affected T the /bin/httpd binary described. No specific version numbers are provided, so the vulnerability likely spans multiple firmware builds that include this code path.

Risk and Exploitability

The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog, yet its impact remains severe. The backdoor bypasses authentication entirely, enabling an attacker who can reach the web interface (remote or local) to assume full control of the device. The flaw requires no special privileges beyond reaching the interface, so exploitation is straightforward once the attacker can connect to the device’s HTTP port. Given the high potential for compromise, this vulnerability poses.

Generated by OpenCVE AI on July 7, 2026 at 05:35 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade the Tenda firmware to the latest officially released version that removes the hidden backdoor authentication mechanism.
  • If a firmware upgrade cannot be performed immediately, restrict or block remote access to the web management interface using firewall rules or router settings to prevent external attackers from connecting.
  • Disable or remove the configuration value “sys.rzadmin.password” and ensure the rzadmin username is not used for any valid login attempts.
  • Monitor system logs for anomalous authentication attempts and any usage of the backdoor parameters.
  • Check the vendor’s security advisories for any updates or additional recommendations.

Generated by OpenCVE AI on July 7, 2026 at 05:35 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 06:00:00 +0000

Type Values Removed Values Added
Weaknesses CWE-250
CWE-287

Mon, 06 Jul 2026 19:45:00 +0000

Type Values Removed Values Added
Description The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password. A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
Title Hidden backdoor authentication mechanism in multiple versions of Tenda firmware allows admin access to web management interface
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: certcc

Published:

Updated: 2026-07-06T20:37:55.739Z

Reserved: 2026-06-05T18:12:15.445Z

Link: CVE-2026-11405

cve-icon Vulnrichment

No data.

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T05:45:03Z

Weaknesses
  • CWE-250

    Execution with Unnecessary Privileges

  • CWE-287

    Improper Authentication