Tenda firmware (multiple versions) contains hidden authentication backdoor

316 points - today at 12:08 AM

Source

Comments

greyface- today at 3:02 AM
The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:

https://boschko.ca/tenda_ac1200_router/

Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.

pbasista today at 8:35 AM
> The associated username is not validated, so any provided username will succeed when paired with the backdoor password.

Great. I am really wondering why should the customers trust these manufacturers.

At this point I would not use any router with vendor-provided black box firmware. Full stop.

I would always install OpenWRT or something similar on it before using it.

And if that is not possible for whatever reason, I would not even think about buying such a device.

fusslo today at 2:04 AM
> Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment.

I was unfamiliar with Tenda.

> Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile )

Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)

I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"

Havoc today at 7:25 AM
The consistency with which networking hardware companies produce such garbage is crazy.

And it’s always amateur hour backdoors somehow. If it was something sophisticated they might get a pass on „ok some security agency made them do it probably“

Fabricio20 today at 10:37 AM
Oh this is amazing! I have a few of their cube routers sitting around and I always hated how app-locked their firmware was when it really is just a wifi repeater with a few extras (mesh) on top. Root access will do wonders to bypassing the app now (and also disabling their ping-for-green-light mechanism which spams the network with a constant dns resolution to microsoft.com lol).

Also honest take this looks less like a "backdoor" (implies malicious - this is a link to a CVE after all) and more like a developer access credential/default credential that was burned into the firmware (i'd imagine the code remains but on a production run they randomize the key so its non-guessable but then you get lazy and dont run that extra step and this slips in/you burn the bare firmware with no production configs).

ggm today at 3:29 AM
Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things.

I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.

drnick1 today at 3:16 AM
And this is why I handroll my own routers/firewalls, using commodity hardware and a Linux distribution.
HDBaseT today at 3:32 AM
The US/Israel would never do such a thing, buy UniFi/Fortinet/Palo Alto!
cedel2k1 today at 1:16 PM
Reminds me of LKWPETER. I lost a bet when insinsting this couldn't be true.
dhx today at 4:52 AM
It looks like recent Tenda hardware/firmware is encrypted per below examples, making it harder to audit.

binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin

  DECIMAL       HEXADECIMAL     DESCRIPTION
  --------------------------------------------------------------------------------
  516           0x204           OpenSSL encryption, salted, salt: 0x436999A39FECA649
binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin

  DECIMAL       HEXADECIMAL     DESCRIPTION
  --------------------------------------------------------------------------------
  516           0x204           OpenSSL encryption, salted, salt: 0x81235B7D4130B6AB
The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:

binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin

  DECIMAL       HEXADECIMAL     DESCRIPTION
  --------------------------------------------------------------------------------
  64            0x40            uImage header, header size: 64 bytes, header CRC: 0x95335734, created: 2026-06-16 09:09:35, image size: 2159135 bytes, Data Address: 0x80100000, Entry Point: 0x805F41C0, data CRC: 0x5ABEDB00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Tenda Linux-4.14.90"
  128           0x80            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 6947248 bytes
  2159263       0x20F29F        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8971644 bytes, 847 inodes, blocksize: 1048576 bytes, created: 2026-06-16 08:53:20
Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers:

  sys.rzadmin.username=rzadmin
  sys.rzadmin.password=cnphZG1pbg==  (ed: base64 decoded: rzadmin)
  sys.guest.username=guest
  sys.guest.password=Z3Vlc3Q=  (ed: base64 decoded: guest)
And /squashfs-root/webroot_ro/default_router.cfg which offers:

  sys.rzadmin.username=rzadmin
  sys.rzadmin.password=cnphZG1pbg==  (ed: base64 decoded: rzadmin)
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".

Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd

high_byte today at 9:30 AM
this is definitely a backdoor, not necessarily that they use it to infiltrate users but definitely they put them at risk.

reminds me of a bug I found in some tplink router it compared passwords of 3 different users but that table was empty so basically 15 NULL bytes would log you in as admin lol

chirsz today at 6:55 AM
A quick search reveals several other serious vulnerabilities in Tenda routers that could grant administrator privileges. Therefore, I tend to believe this is due to the company's incompetence and lack of technical skill rather than malicious intent—but it's still a reason to avoid using Tenda products. There's a reason why Tenda's market share is far lower than TP-Link's.
matltc today at 4:48 AM
My ifconfig is simple: if it's made in Shenzhen, throw it out
linzhangrun today at 8:38 AM
Common situation for small-company software...

Backdoor passwords left for convenient debugging are not surprising anymore.

megous today at 2:35 PM
Most of the software is this way, it seems. Military intelligenece in our country were recently changing configs on peoples routers without their knowledge or consent to get rid of similarly dangerous thing on several types of tp-link routers.

And if you ever looked inside the firmwares of these IoT Linux boxes (be it sip phones, payment terminals, ip cameras, routers, modems, etc.) you'd not want it anywhere near anything that needs to be secure. OpenWRT or your own thing, or very strict isolation, or nothing.

daneel_w today at 11:54 AM
What a surprise.
like_any_other today at 6:01 AM
So will this finally be treated as sabotage/criminal hacking, or is it just yet another example of letting manufacturers do whatever they want to their customers without any punishment? Meanwhile if I find and publish the emails of Tenda customers that they accidentally left unprotected, I get raided by the FBI.
emsign today at 5:01 AM
Not to sound too alarming. But

Security holes in networking equipment

Affects not just the compromised devices.

zb3 today at 11:40 AM
Typical for Chinese companies. Of course US companies also provide backdoors, but more official and more secure..
deeddy today at 9:09 AM
I've seen it last night, and I was like wtf?! Frankly, if they tried to build in some backdoor, I bet they would have done it differently, not so obviously. This must have been some sort of stupidity done for testing purposes, and just got buried deep in the code and forgotten.

This is the main reason why you should always use OpenWRT or other opensource router OS. If it gets an issue, at least it would get patched in the next update.

tangsoupgallery today at 2:21 AM
[flagged]
nttylock today at 3:00 AM
[flagged]
dmpanch today at 7:44 AM
[flagged]
0xshaftoe today at 7:32 AM
[dead]
RetroTechie today at 1:31 AM
[flagged]
vachina today at 2:16 AM
[flagged]
naturalmovement today at 2:58 AM
[flagged]
SubiculumCode today at 1:55 AM
Up and out the back door, any 'ol time.
finalhacker today at 6:30 AM
Almost all consumer electronics come with backdoors—especially given the prevalence of computational advertising. Before criticizing Tenda, we ought to clarify whether this is a consumer-facing (2C) or business-facing (2B) product.