Tenda firmware (multiple versions) contains hidden authentication backdoor
miniBill
121 points
30 comments
July 08, 2026
Related Discussions
Found 5 related stories in 837.4ms across 14,015 title embeddings via pgvector HNSW
- Remote Firmware Injection in Popular Solar Inverters mrlnstk · 13 pts · March 04, 2026 · 55% similar
- Unauthenticated RCE in Motorola's MR2600 Router MrBruh · 78 pts · July 12, 2026 · 53% similar
- TP-Link Kasa cameras leaked home GPS via unauthenticated UDP for 6 years BadChemical · 74 pts · July 17, 2026 · 52% similar
- Ivanti Sentry pre-auth RCE (CVE-2026-10520) – CVSS 10.0, public PoC, CISA KEV slvnx · 17 pts · June 11, 2026 · 50% similar
- TS-2026-009: Insecure argument handling in Tailscale SSH permitted root access jervant · 101 pts · July 15, 2026 · 49% similar
Discussion Highlights (11 comments)
RetroTechie
Yet another Chinese company selling backdoor'd product. Surprise surprise...
SubiculumCode
Up and out the back door, any 'ol time.
fusslo
> Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment. I was unfamiliar with Tenda. > Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile ) Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras) I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"
vachina
Chinese undocumented auth: commies tryna steal mah api tokenz US undocumented auth: legitimate usecase for out of band support nothing to see here
greyface-
The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does: https://boschko.ca/tenda_ac1200_router/ Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.
drnick1
And this is why I handroll my own routers/firewalls, using commodity hardware and a Linux distribution.
ggm
Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things. I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
HDBaseT
The US/Israel would never do such a thing, buy UniFi/Fortinet/Palo Alto!
matltc
My ifconfig is simple: if it's made in Shenzhen, throw it out
dhx
It looks like recent Tenda hardware/firmware is encrypted per below examples, making it harder to audit. binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 516 0x204 OpenSSL encryption, salted, salt: 0x436999A39FECA649 binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 516 0x204 OpenSSL encryption, salted, salt: 0x81235B7D4130B6AB The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected: binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin DECIMAL HEXADECIMAL DESCRIPTION -------------------------------------------------------------------------------- 64 0x40 uImage header, header size: 64 bytes, header CRC: 0x95335734, created: 2026-06-16 09:09:35, image size: 2159135 bytes, Data Address: 0x80100000, Entry Point: 0x805F41C0, data CRC: 0x5ABEDB00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Tenda Linux-4.14.90" 128 0x80 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 6947248 bytes 2159263 0x20F29F Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8971644 bytes, 847 inodes, blocksize: 1048576 bytes, created: 2026-06-16 08:53:20 Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers: sys.rzadmin.username=rzadmin sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin) sys.guest.username=guest sys.guest.password=Z3Vlc3Q= (ed: base64 decoded: guest) And /squashfs-root/webroot_ro/default_router.cfg which offers: sys.rzadmin.username=rzadmin sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin) From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password". Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
emsign
Not to sound too alarming. But Security holes in networking equipment Affects not just the compromised devices.