CVE-2026-11405
Received Received - Intake

Hidden Backdoor Authentication in Web Server Binary

Vulnerability report for CVE-2026-11405, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-06

Last updated on: 2026-07-06

Assigner: CERT/CC

Description

The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password. A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked β€” any username works with the backdoor

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-06
Last Modified
2026-07-06
Generated
2026-07-07
AI Q&A
2026-07-06
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 5 associated CPEs
Vendor Product Version / Range
tenda firmware US_FH1201V1.0BR_V1.2.0.14
tenda firmware US_W15EV1.0br_V15.11.0.5
tenda firmware US_AC10V1.0re_V15.03.06.46
tenda firmware US_AC5V1.0RTL_V15.03.06.48
tenda firmware US_AC6V2.0RTL_V15.03.06.51

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-11405 is a vulnerability in the /bin/httpd web server binary of certain Tenda firmware versions. It contains a hidden backdoor authentication mechanism within the login() function. Normally, the function verifies passwords using an MD5 hash-based method. However, if this normal authentication fails, the function reads a backdoor password stored in the device configuration and compares it directly in plaintext with the user-supplied password. If the backdoor password matches, the attacker is granted admin-level access (role=2) and a valid session is created, regardless of the username used.

This backdoor allows attackers to bypass normal password verification and gain full administrative access to the device's web management interface without valid credentials.

Impact Analysis

Exploitation of this vulnerability allows attackers to gain full administrative access to the affected device's web management interface without needing valid credentials.

  • Attackers can reconfigure the device settings.
  • They can alter network configurations.
  • Security features on the device can be disabled.

This can lead to compromise of the local network and potentially allow further attacks or unauthorized access.

Detection Guidance

This vulnerability involves a hidden backdoor password in the device configuration that allows admin access regardless of username. Detection involves checking for the presence of this backdoor password in the device configuration and monitoring for unauthorized admin-level access attempts.

Since the backdoor password is stored in the device configuration under the key "sys.rzadmin.password", you can attempt to query or inspect this configuration value if you have access to the device.

Network detection can include monitoring for unusual login attempts where any username is accepted but the password matches the backdoor password, granting admin access.

Specific commands depend on the device and firmware, but general suggestions include:

  • Access the device configuration and check for the presence of the "sys.rzadmin.password" key.
  • Use network monitoring tools to detect admin-level login sessions originating from unexpected sources.
  • If possible, extract and analyze the /bin/httpd binary to verify the presence of the backdoor login() function.
Mitigation Strategies

Immediate mitigation steps include disabling remote management features and restricting access to the device's web management interface to trusted local network users only.

Since no patch is available and the vendor has not responded, limiting exposure is critical to prevent exploitation.

Additional steps include monitoring for unauthorized access attempts and changing any known passwords that might be related to the backdoor.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-11405. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart