{"dataType":"CVE_RECORD","dataVersion":"5.2","cveMetadata":{"cveId":"CVE-2026-11405","assignerOrgId":"37e5125f-f79b-445b-8fad-9564f167944b","state":"PUBLISHED","assignerShortName":"certcc","dateReserved":"2026-06-05T18:12:15.445Z","datePublished":"2026-07-06T19:17:07.891Z","dateUpdated":"2026-07-08T03:56:43.493Z"},"containers":{"cna":{"title":"Hidden backdoor authentication mechanism in multiple versions of Tenda firmware allows admin access to web management interface","descriptions":[{"lang":"en","value":"The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.\r\n\r\n- The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key).\r\n- After normal authentication fails, it calls GetValue(\"sys.rzadmin.password\") to read a backdoor password from the device configuration.\r\n- It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password.\r\n\r\nA successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor"}],"source":{"discovery":"UNKNOWN"},"affected":[{"vendor":"Tenda","product":"firmware","versions":[{"status":"affected","version":"US_AC6V2.0RTL_V15.03.06.51_multi_T"}]},{"vendor":"Tenda","product":"firmware","versions":[{"status":"affected","version":"US_AC5V1.0RTL_V15.03.06.48_multi_TDE01"}]},{"vendor":"Tenda","product":"firmware","versions":[{"status":"affected","version":"US_AC10V1.0re_V15.03.06.46_multi_TDE01"}]},{"vendor":"Tenda","product":"firmware","versions":[{"status":"affected","version":"US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE"}]},{"vendor":"Tenda","product":"firmware","versions":[{"status":"affected","version":"US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD"}]}],"problemTypes":[{"descriptions":[{"lang":"en","description":"CWE-912: Hidden Functionality"}]}],"references":[{"url":"https://cwe.mitre.org/data/definitions/912.html"},{"url":"https://kb.cert.org/vuls/id/213560"}],"x_generator":{"engine":"VINCE 3.0.43","env":"prod","origin":"https://cveawg.mitre.org/api/cve/CVE-2026-11405"},"providerMetadata":{"orgId":"37e5125f-f79b-445b-8fad-9564f167944b","shortName":"certcc","dateUpdated":"2026-07-06T19:24:17.280Z"}},"adp":[{"title":"CVE Program Container","references":[{"url":"https://www.kb.cert.org/vuls/id/213560"}],"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2026-07-06T20:37:55.739Z"}},{"title":"CISA ADP Vulnrichment","metrics":[{"other":{"type":"ssvc","content":{"timestamp":"2026-07-07T00:00:00+00:00","options":[{"Exploitation":"none"},{"Automatable":"yes"},{"Technical Impact":"total"}],"role":"CISA Coordinator","version":"2.0.3","id":"CVE-2026-11405"}}}],"providerMetadata":{"orgId":"134c704f-9b21-4f2e-91b3-4a467353bcc0","shortName":"CISA-ADP","dateUpdated":"2026-07-08T03:56:43.493Z"}}]}}