Tenda firmware (multiple versions) contains hidden authentication backdoor

274 points · 93 comments on HN · read original →

Points and comments are a snapshot, not live.

Tenda firmware has an undocumented backdoor granting admin access via the password 'rzadmin'.

CERT/CC reports an undocumented authentication backdoor, CVE-2026-11405, in several Tenda router firmware versions. The /bin/httpd web server binary contains a login() function that, after normal MD5 password verification fails, retrieves a plaintext password from the config key "sys.rzadmin.password" and compares it directly with the user-supplied password. A match grants role=2 administrative access regardless of username. Affected models include US_FH1201, US_W15E, US_AC10, US_AC5, and US_AC6. Tenda was unreachable for coordination. Mitigations include disabling remote management and changing the default LAN IP.

What commenters are saying

Commenters identify the backdoor password as "rzadmin", based on a 2022 writeup, suggesting it is a forgotten debug feature rather than deliberate malice. Several note Tenda's popularity in Asia and among ISPs, while others recommend rolling custom routers with OpenWrt or Debian as a more trustworthy alternative. A minority defends Tenda as a legitimate brand, pointing to its long history and OpenWrt compatibility. One commenter flags that recent Tenda firmware appears encrypted, making auditing harder.