Skip to main content

Tenda Routers CVE-2026-11405

| EUVDEUVD-2026-41919 CRITICAL
2026-07-06 certcc GHSA-w55r-jjxw-gxrx
9.8
CVSS 3.1 · Vendor: certcc
Share

Severity by source

Vendor (certcc) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Network-reachable web login with an unconditional backdoor branch granting full admin (role=2) and total device control; PR:N assumes a known/shared backdoor secret, otherwise PR could rise if per-device.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (certcc).

CVSS VectorVendor: certcc

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Analysis Generated
Jul 08, 2026 - 16:35 vuln.today
CVSS changed
Jul 08, 2026 - 14:22 NVD
9.8 (CRITICAL)
CVE Published
Jul 06, 2026 - 19:17 cve.org
UNKNOWN (no severity yet)

DescriptionCVE.org

The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.

  • The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key).
  • After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration.
  • It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password.

A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked - any username works with the backdoor

AnalysisAI

Authentication bypass in Tenda router firmware (AC10, AC5, AC6, FH1201, W15E) lets any user log in as administrator via a hidden vendor backdoor: after normal MD5-based login fails, the /bin/httpd login() routine at 0x4c88b8 falls back to a plaintext strcmp() against the 'sys.rzadmin.password' config value, granting role=2 (admin) with any username. Reported through CERT/CC (VU#213560), it is not in CISA KEV and has no public exploit identified at time of analysis, with a low EPSS score of 0.24% (15th percentile). …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach router web login interface
Delivery
Submit any username with backdoor password
Exploit
Normal MD5 auth fails, falls through to strcmp()
Execution
Plaintext match on sys.rzadmin.password
Persist
Granted role=2 admin session
Impact
Full device configuration takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires network reachability to the /bin/httpd web management interface and knowledge of the backdoor credential stored in sys.rzadmin.password; the attacker submits that value as the password with ANY username (the 'rzadmin' username is never checked) and the normal MD5 authentication must fail first so the code reaches the backdoor branch. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals here conflict and warrant nuance. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the router's web login (for example, a device with remote management exposed to the internet, or an attacker on the local network) submits any username with the backdoor password value in the login form. Because the login() routine falls through to a plaintext strcmp() against sys.rzadmin.password after the normal hash check fails, a correct value immediately returns an admin (role=2) session, giving full device control. …
Remediation No vendor-released patch or fixed firmware version is identified in the available data at time of analysis; monitor the CERT/CC advisory (https://kb.cert.org/vuls/id/213560) and Tenda for updated firmware for the AC10, AC5, AC6, FH1201, and W15E lines. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Conduct asset inventory to identify all affected Tenda router models (AC10, AC5, AC6, FH1201, W15E) in production and development environments. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2014-8656 CRITICAL POC
10.0 Nov 06

The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH have a d

CVE-2013-2645 CRITICAL POC
9.3 Oct 06

Multiple cross-site request forgery (CSRF) vulnerabilities on the TP-LINK WR1043N router with firmware TL-WR1043ND_V1_12

CVE-2014-8657 MEDIUM POC
5.0 Nov 06

The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows r

CVE-2014-8655 MEDIUM POC
5.0 Nov 06

The Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 with firmware CH6640-3.5.11.7-NOSH allows r

CVE-2014-8654 MEDIUM POC
6.8 Nov 06

Multiple cross-site request forgery (CSRF) vulnerabilities in Compal Broadband Networks (CBN) CH6640E and CG6640E Wirele

CVE-2014-8653 MEDIUM POC
4.3 Nov 06

Cross-site scripting (XSS) vulnerability in Compal Broadband Networks (CBN) CH6640E and CG6640E Wireless Gateway 1.0 wit

CVE-2026-7415 CRITICAL
9.8 May 07

Anonymous MQTT access in Yarbo firmware v2.3.9 allows remote unauthenticated attackers on the local network to fully con

CVE-2026-7414 CRITICAL
9.8 May 07

Hardcoded administrative credentials in Yarbo firmware v2.3.9 allow remote unauthenticated attackers to gain full device

CVE-2026-7413 HIGH
7.2 May 07

Undocumented persistent backdoor in Yarbo firmware v2.3.9 grants remote privileged access that survives factory reset an

CVE-2016-6257 MEDIUM
6.5 Aug 02

The firmware in Lenovo Ultraslim dongles, as used with Lenovo Liteon SK-8861, Ultraslim Wireless, and Silver Silk keyboa

Share

CVE-2026-11405 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy