Powered by MOMENTUMMEDIA
For breaking news and daily updates, subscribe to our newsletter

Analysts warn of hidden backdoor in routers sold in Australia

CERT Coordination Center finds “undocumented authentication backdoor” in several versions of the firmware in Tenda network devices.

Mon, 13 Jul 2026
Analysts warn of hidden backdoor in routers sold in Australia

Malicious actors could bypass password verification and gain administrative control without any credentials, thanks to a newly revealed backdoor found in the firmware of a raft of network devices made by Tenda.

The company – which has an Australian office – supplies a raft of home and business devices such as switches, routers, and wireless access points.

“Most of these devices include web-based interfaces that allow users to perform configuration and management operations, which are protected by username/password authentication to prevent unauthorised modifications,” Carnegie Mellon University’s CERT Coordination Center warned last week.

 
 

However, several firmware versions contain what CERT CC describes as an undocumented authentication backdoor.

“The web server binary /bin/httpd contains an undocumented backdoor authentication mechanism in the login() function. Initially, the function follows a normal authentication path using MD5-based password verification,” CERT CC said.

“However, if authentication fails, the function invokes GetValue(‘sys.rzadmin.password’) to retrieve an alternate password value from the device configuration. It then performs a direct strcmp() comparison in plaintext between the user-supplied password and the configuration-stored value. A successful match grants role=2 admin-level access and creates a valid session.”

The firmware does not validate the associated username, so any username provided will work when paired with the backdoor’s password. Once administrative control is achieved, the device can be reconfigured and its security features disabled, leading to further compromise.

CERT CC lists several firmware versions that it says are impacted by the vulnerability – currently tracked as CVE-2026-11405 – however, there appears to be a slight wrinkle in its reporting.

According to security researcher Will Dormann, the listed versions don’t contain the aforementioned backdoor, although it does appear to be present in others.

“OK, after a little digging, there are indeed some Tenda firmwares that contain the rzadmin backdoor account in httpd,” Dormann said in social media posts soon after the backdoor was reported.

“The problem? Out of the firmware versions that CERT lists, none of them contain this backdoor. Oops.

“Maybe I’m simply being pedantic, but I think that when an organisation publishes about a vulnerability and creates a CVE for it, the affected products should perhaps be accurate?”

While CERT CC may not have been entirely accurate about the firmware versions impacted by the backdoor, it’s clear that there’s a backdoor in at least some versions. That being the case, the best advice for organisations using Tenda devices remains the same: disable remote management on your device and restrict local network exposure.

Cyber Daily has reached out to Tenda Australia for comment.

Cyber DailyWant to see more stories from trusted news sources?
Make Cyber Daily a preferred news source on Google.
Tags:

David Hollingworth

David Hollingworth has been writing about technology for over 20 years, and has worked for a range of print and online titles in his career. He is enjoying getting to grips with cyber security, especially when it lets him talk about Lego.