HN
Today

Tenda firmware (multiple versions) contains hidden authentication backdoor

CERT/CC has revealed a critical, undocumented authentication backdoor in multiple versions of Tenda router firmware, granting full administrative access without valid credentials. This severe flaw allows attackers to completely compromise affected devices, but Tenda has been unresponsive, leaving users without an official patch. The revelation sparked immediate concerns on Hacker News regarding supply chain security and the trustworthiness of certain hardware manufacturers, especially given the vendor's silence.

33
Score
6
Comments
#2
Highest Rank
16h
on Front Page
First Seen
Jul 8, 2:00 AM
Last Seen
Jul 8, 5:00 PM
Rank Over Time
33432334458812131720

The Lowdown

A significant security vulnerability has been identified in Tenda firmware, specifically an undisclosed authentication backdoor that provides administrative access to network devices. This flaw, tracked as CVE-2026-11405, allows unauthorized individuals to bypass standard password verification and gain full control over routers and other Tenda equipment.

  • Nature of Vulnerability: The backdoor resides in the login() function of the /bin/httpd web server binary. After a failed standard MD5-based authentication, the function attempts a plaintext strcmp() comparison with a hidden value retrieved from sys.rzadmin.password.
  • Impact: Successful exploitation grants an attacker complete administrative privileges over the device's web interface, irrespective of the configured credentials. This enables network reconfiguration, disabling of security features, and broader compromise of the local network.
  • Affected Devices: The vulnerability impacts various Tenda router models, including specific versions of US_FH1201V1.0BR, US_W15EV1.0br, US_AC10V1.0re, US_AC5V1.0RTL, and US_AC6V2.0RTL.
  • Vendor Response: CERT/CC reported that they were unable to reach Tenda for vulnerability coordination, meaning no official patch is currently available.
  • Mitigation: Recommended workarounds include disabling remote web management and changing the default LAN IP address, although these do not prevent targeted attacks.

This unpatched backdoor poses a substantial risk to users of Tenda devices, underscoring the critical need for vendor accountability and vigilance in securing home and business networks.

The Gossip

Suspicious Sourcing and State-Sponsored Spying

Many commenters quickly attributed the discovery of an undocumented backdoor to the manufacturer's Chinese origin, suggesting a pattern of intentional vulnerabilities or state-mandated surveillance. There was a strong sense of 'I told you so' regarding the perceived untrustworthiness of certain foreign-made network equipment, raising broader concerns about supply chain integrity and national security implications.

Vendor's Vexing Vacuity

The community expressed significant frustration over CERT/CC's inability to contact Tenda for vulnerability coordination and the subsequent lack of an official patch. Commenters highlighted the irresponsibility of a vendor leaving such a critical flaw unaddressed, leaving users reliant on partial mitigation strategies and uncertain about the continued security of their devices.