Unauthenticated Flaw Allows Full Router, Network Takeover

A hidden backdoor found in firmware sold by Chinese networking hardware manufacturer Tenda enables unauthenticated administrative access and control over devices through web management interfaces.
See Also: Beat the Breach: Outsmart Attackers and Secure the Cloud
Embedded in the web server binary /bin/httpd, the flaw, tracked as CVE-2026-11405, maintains an undocumented backdoor within the login() function and requires no validated credentials for access. Hardware equipment often reliant on web-based, username and password protected interfaces restrict unauthorized configuration adjustments and other system modifications. The backdoor uses this built-in limitation to exploit the firmware’s usual authentication path.
Exploiting the flaw, reported by the CERT Coordination Center out of Carnegie Mellon University earlier this week, begins with a standard MD5-based password verification path. When authentication fails, the backdoor reverts to an alternative code path, utilizing GetValue("sys.rzadmin.password") to generate and pull a new password value from the device configuration.
In plaintext, the flaw initiates a strcmp() comparison between the user-supplied password and the configuration-stored value, granting role=2 admin-level access and creating a valid session if the values match.
According to CERT/CC, the associated “rzadmin” username is “not validated,” meaning any username provided will go unchecked and gain access if paired with a backdoor-generated value. “This backdoor authentication mechanism is not documented or visible through any administrative interface,” said CERT/CC.
The flaw currently holds no CVSS score and is not listed in the CISA-managed Known Exploited Vulnerabilities catalog.
If successfully exploited, the backdoor would enable attackers to fully reconfigure devices, including altering network settings and disabling security features, and could quickly escalate to network compromise. Despite no KEV listing, exploitation is being observed in the wild by researchers tracking the issue closely, found cybersecurity firm Rescana.
Based on reports, a publicly available Nmap NSE script – tenda-backdoor.nse – is drastically widening the attack surface. The script “automates detection and exploitation via UDP port 7329,” scanning for vulnerable devices.
Traffic around the flaw shows suspicious external IP addresses contacting routers and “storing unexplained files,” in addition to outbound connections between already “compromised routers” and suspicious external infrastructure.” The backdoor follows a typical attack path: credential interception, session hijacking and deployment of unauthorized code onto affected devices.
No patch is available as of publication but users are advised to disable remote management tools on affected Tenda devices and update the default LAN IP address to limit network exposure and reduce automated scans from picking up default, exploitable IP ranges.
Until patching is possible and firmware is updated, users should also segment management interfaces and monitor networks for unauthorized attempts to access UDP port 7329, reviewing current router configurations for sys.rzadmin.password inclusion.
The vulnerability itself, which currently affects the FH1201, W15E, AC10, AC5 and AC6 router families, was initially reported by an anonymous researcher who, through CERT/CC, notified Tenda of the ongoing threat.
