LIVE · cybersecurity feed
vulnerabilityhigh

Hidden backdoor in Tenda router firmware grants admin access

zeroday.news·1d ago

A security vulnerability has been discovered in the firmware of several Tenda router models, creating a hidden backdoor that could allow unauthorized administrative access. The issue, tracked as CVE-2026-11405, stems from an undocumented authentication mechanism within the device's web server.

According to the CERT Coordination Center (CERT/CC), this backdoor bypasses standard login procedures. When a user attempts to authenticate, the router first tries a conventional MD5-based method. If this fails, the firmware then checks a specific configuration value, 'sys.rzadmin.password', against a plaintext password provided by the user. If these match, the device grants administrator privileges, identified as role=2, and establishes a valid session, irrespective of the username entered.

This hidden authentication method is not documented and is not indicated on the administrative interface, leaving users unaware of the potential risk. Successful exploitation grants an attacker full control over the device's web interface, overriding any existing administrator credentials. This level of access would enable an attacker to reconfigure the router, modify network settings, and disable security features, potentially leading to a broader compromise of the local network.

The vulnerability affects specific firmware versions for several Tenda router models, including the FH1201, W15E, AC10, AC5, and AC6 V2. The affected firmware versions are listed as US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T.

As of the report, CERT/CC indicates that Tenda has not yet released a patch to address this vulnerability. The networking equipment manufacturer has reportedly been difficult to reach regarding the issue.

Given the lack of a fix, users of the affected Tenda routers are advised to disable the remote web management panel to prevent internet-accessible exploitation of the vulnerable interface. Additionally, it is recommended to restrict local network exposure by changing the default LAN IP address. This measure can help reduce the chances of opportunistic discovery by automated scanning tools.

The CVE-2026-11405 vulnerability was discovered and reported to CERT/CC by an anonymous researcher. While there is no current information about active exploitation, security experts anticipate that botnets targeting router vulnerabilities may soon attempt to exploit this flaw.

vulnerabilityrouterbackdoorfirmwareaccess
← Back to latest

More News

view all →
zeroday.news · 3h ago·critical

Ubiquiti Patches Critical UniFi Flaws Across Connect, Talk, Access, Protect, and OS

Ubiquiti has released security updates to address several critical vulnerabilities affecting its UniFi product line, including UniFi Connect, Talk, Access, Protect, and OS. These flaws could allow attackers to escalate privileges or execute arbitrary commands on affected devices. While no active exploitation has been reported for these specific vulnerabilities, the company has previously seen its UniFi OS and Edge OS products targeted by threat actors.

zeroday.news · 3h ago·critical

Attackers using Langflow flaw for credential harvesting (CVE-2026-55255)

CISA has issued a warning regarding a critical vulnerability (CVE-2026-55255) in the Langflow AI framework, which is being actively exploited by attackers. The flaw allows authenticated users to execute arbitrary flows belonging to other users, potentially leading to the theft of sensitive credentials and data exposure, especially in multi-tenant environments. US federal agencies have been mandated to patch this vulnerability by July 10th.

zeroday.news · 2h ago·high

China-Linked APT Expands Arsenal With New ‘Leash’ Backdoors

A China-linked advanced persistent threat (APT) group, identified as LapDogs, has reportedly enhanced its malicious toolkit. Security researchers have observed the deployment of three new backdoors: LongLeash, DogLeash, and JarLeash, which are designed to compromise small office/home office (SOHO) routers.

zeroday.news · 2h ago·high

RedWing Android Spyware Sold as a Service on Telegram

A new Android spyware called RedWing is being offered as a service on Telegram, allowing less sophisticated attackers to compromise phones and steal banking information. Researchers have identified it as a polished malware-as-a-service operation with extensive documentation and a subscription model, potentially linked to Russian threat actors. RedWing employs fake login overlays, SMS interception, call forwarding, and even screen control to harvest credentials and conduct further malicious activities.

zeroday.news · 3h ago·high

Operationalizing Day Minus Seven: The Cloud-Native ROC

The article introduces the concept of a Risk Operations Center (ROC) as a necessary evolution for cybersecurity teams facing AI-driven threats. It argues that traditional risk management models are insufficient due to the speed at which AI can discover and exploit vulnerabilities, especially in cloud environments. A ROC, powered by platforms like Qualys Enterprise TruRisk Management (ETM), aims to unify disparate security findings, hyper-prioritize risks based on exploitability and business impact, and enable autonomous remediation to keep pace with attackers.

zeroday.news · 3h ago·high

Armored Likho Hits Government, Energy Sectors With BusySnake Stealer

Cybersecurity researchers have identified a new threat actor, dubbed Armored Likho, targeting government and energy sectors in Russia, Kazakhstan, and Brazil with a sophisticated phishing campaign. The operation utilizes a custom-built Python infostealer named BusySnake, designed to steal credentials, sensitive documents, and other high-value data. The attackers employ AI-generated payloads to obscure their activities and maintain persistence through various methods, including reverse SSH tunneling.