61 comments

  • pbasista an hour ago

    > The associated username is not validated, so any provided username will succeed when paired with the backdoor password.

    Great. I am really wondering why should the customers trust these manufacturers.

    At this point I would not use any router with vendor-provided black box firmware. Full stop.

    I would always install OpenWRT or something similar on it before using it.

    And if that is not possible for whatever reason, I would not even think about buying such a device.

    • bayindirh 14 minutes ago

      Last time when I looked OpenWRT was unable to support MIMO and beamforming capabilities of many of the devices it was running on.

      This capabilities are crucial to have decent coverage, signal strength and throughput where I live (i.e.: crowded/congested wireless networks in an apartment complex).

      Did OpenWRT team managed to work around them, or did the manufacturers started to play nicer with open drivers with loadable firmware?

    • rootatixww3 16 minutes ago

      good approach, but your security should not depend on your router anyway, you should be immune to attacks from it

      • bayindirh a minute ago

        Not exposing your management interface to internet and running a guest network which doesn't have access to said management interfaces can block 95%+ of the attacks, I believe.

  • greyface- 7 hours ago

    The article doesn't disclose the value of "sys.rzadmin.password", but this writeup from 2022 does:

    https://boschko.ca/tenda_ac1200_router/

    Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.

    • thibaut_barrere 4 hours ago

      That backdoor is so up front about it. We might as well call it a frontdoor.

      • Wololooo an hour ago

        I mean, it's 99% sure this was supposed to be a debug feature...

        • rootatixww3 15 minutes ago

          and "accidentally" they forgot to disable it when releasing

    • BloondAndDoom 2 hours ago

      At that point it’s not even a back door it’s just stupid default root password kind of design which used to be standard in this kind of hardware. Backdoor would at least try to be subtle :)

      • Asraelite 22 minutes ago

        Backdoors are often (almost always?) designed to look like incompetence so that there's plausible deniability.

    • lemagedurage 6 hours ago

      Sounds like a convenience feature for a dev that they forgot to remove before distribution, since it's this poorly hidden.

      • sph 3 hours ago

        In computer security, never attribute to ignorance that which is adequately explained by malice.

        • hnlmorg 3 hours ago

          You’ve got the saying backwards:

          “Never attribute to malice that which is adequately explained by stupidity.”

          https://en.wikipedia.org/wiki/Hanlon%27s_razor

          • jchw 3 hours ago

            Pretty sure the point was to invert it. :)

            • hnlmorg 3 hours ago

              Yes, I got their point. My point is that’s the opposite of reality.

              • UweSchmidt 28 minutes ago

                Maybe it's time to take a closer look at reality and correct this meme, which might casually blur the issue and deflect responsibility?

                Looking at the IT security landscape we see every layer, every product category if not every product itself riddled with issues at one point or another. At the same time the incentives to put those security issues in are huge, and we know attackers work systematic, creative and persistent to introduce those weak points.

                Security is hard and many bugs certainly happen due to mistakes, but I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.

                So I would go with “Never attribute to ignorance that which is adequately explained by malice.”

              • naruhodo an hour ago

                His point is that in security, the opposite applies. The supposed "incompetence" is just plausible deniability for a malicious act.

  • fusslo 8 hours ago

    > Tenda is a supplier of home and business network devices such as routers, switches, wireless access points, and video surveillance equipment.

    I was unfamiliar with Tenda.

    > Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile )

    Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)

    I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"

    • dpacmittal 5 hours ago

      Tenda is very popular in Asia, several ISPs use them as their default routers.

    • _puk 3 hours ago

      Tenda has been around for quite a few years now. I don't imagine they'll rebrand.

      I have an ethernet over power adapter somewhere in a cupboard from perhaps 10 years ago.

      Back then it was standard for the admin password to be 'admin'. They'd often even print it on the device itself.

      • ale42 2 hours ago

        > the admin password to be 'admin'. They'd often even print it on the device itself.

        Yes but aren't you supposed to change that one? The problem with the rzadmin is that it will continue to work even after you change the regular admin one...

      • puzzlingcaptcha an hour ago

        I am still using their Powerline adapters and FWIW they have been very reliable.

    • userbinator 4 hours ago

      It is probably just a brand, like many others, and based on a reference design from the OEM.

      I have a small Tenda 5-port gigabit dumb switch. It uses the same switch chip as this TP-Link, just with different branding; even the "SG105" model number is the same:

      https://goughlui.com/2022/02/27/unbox-teardown-tp-link-tl-sg...

    • TedDoesntTalk 7 hours ago

      I’m in the USA and have a Tenda WiFi usb stick. Not as popular as other brands but they are around

  • high_byte 8 minutes ago

    this is definitely a backdoor, not necessarily that they use it to infiltrate users but definitely they put them at risk.

    reminds me of a bug I found in some tplink router it compared passwords of 3 different users but that table was empty so basically 15 NULL bytes would log you in as admin lol

  • Havoc 2 hours ago

    The consistency with which networking hardware companies produce such garbage is crazy.

    And it’s always amateur hour backdoors somehow. If it was something sophisticated they might get a pass on „ok some security agency made them do it probably“

    • KingOfCoders 2 hours ago

      Or the amateur hour backdoors are those that are found.

      Or the amateur hour backdoors are there to be found.

  • ggm 6 hours ago

    Have used their travel wifi product back when hotel wifi was a strange beast. Wouldn't expect to need it now eSIM and ubiquitous internet travel pricing means the hotel wifi may be the LEAST valid path to access things.

    I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.

    • VladVladikoff 6 hours ago

      I’m working on a hotel right now. And I’ve gone to great lengths to make the wifi more secure. Everyone on their own VLAN. Separate PPSK for each room. Credentials are randomly generated and not some ridiculous pattern of last name and room number or similar. We built our own custom access control system, with what at the time was the strongest keycards we could find (mifare desfire ev3), I’m really trying to make a hotel who’s security isn’t such a joke.

      • miki123211 4 hours ago

        How do you distribute credentials to residents?

        My Macbook is permanently locked out of Cox's hotspot system (used in some U.S. hotels) because the password was given to me on a tiny label which I couldn't read as a blind person except through OCR, and the OCR was wrong a few too many times.

        • user_7832 4 hours ago

          Do macs not spoof their macid (heh) everytime they join a network? I thought android (and windows?) did that already?

          • mh- 3 hours ago

            They do, by default. You have to override it on a per-network basis to disable this behavior.

      • ggm 6 hours ago

        As long as I can bind more than one device in my room, and as long as I can "see" the devices amongst themselves, I'd love this. I can imagine people who want inter-room access but they can live through proxies offsite. If I want to do in room sharing, I need in room wifi.

        Gets hard when you bring "smart" TV's to the table. They're going to need to expose into this system somewhat 'credential-free' but if you do it off MAC address then a determined user could disconnect, find MAC, clone ...

        • netsharc 2 hours ago

          I stayed at a clinic once, and all the smart TVs were on the same network.. I wonder what would've happened if I streamed a video from my phone to another room's TV.

        • ikidd 5 hours ago

          It would still be wiser to tie your own router into the hotel system as a gateway, and keep your own PAN behind that.

  • chirsz 3 hours ago

    A quick search reveals several other serious vulnerabilities in Tenda routers that could grant administrator privileges. Therefore, I tend to believe this is due to the company's incompetence and lack of technical skill rather than malicious intent—but it's still a reason to avoid using Tenda products. There's a reason why Tenda's market share is far lower than TP-Link's.

  • matltc 5 hours ago

    My ifconfig is simple: if it's made in Shenzhen, throw it out

    • hathym 3 hours ago

      I bet more than half of components in all your electronics are made in Shenzhen

    • riskd 4 hours ago

      Yikes

  • HDBaseT 6 hours ago

    The US/Israel would never do such a thing, buy UniFi/Fortinet/Palo Alto!

  • dhx 5 hours ago

    It looks like recent Tenda hardware/firmware is encrypted per below examples, making it harder to audit.

    binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin

      DECIMAL       HEXADECIMAL     DESCRIPTION
      --------------------------------------------------------------------------------
      516           0x204           OpenSSL encryption, salted, salt: 0x436999A39FECA649
    
    binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin

      DECIMAL       HEXADECIMAL     DESCRIPTION
      --------------------------------------------------------------------------------
      516           0x204           OpenSSL encryption, salted, salt: 0x81235B7D4130B6AB
    
    The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:

    binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin

      DECIMAL       HEXADECIMAL     DESCRIPTION
      --------------------------------------------------------------------------------
      64            0x40            uImage header, header size: 64 bytes, header CRC: 0x95335734, created: 2026-06-16 09:09:35, image size: 2159135 bytes, Data Address: 0x80100000, Entry Point: 0x805F41C0, data CRC: 0x5ABEDB00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Tenda Linux-4.14.90"
      128           0x80            LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 6947248 bytes
      2159263       0x20F29F        Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8971644 bytes, 847 inodes, blocksize: 1048576 bytes, created: 2026-06-16 08:53:20
    
    Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers:

      sys.rzadmin.username=rzadmin
      sys.rzadmin.password=cnphZG1pbg==  (ed: base64 decoded: rzadmin)
      sys.guest.username=guest
      sys.guest.password=Z3Vlc3Q=  (ed: base64 decoded: guest)
    
    And /squashfs-root/webroot_ro/default_router.cfg which offers:

      sys.rzadmin.username=rzadmin
      sys.rzadmin.password=cnphZG1pbg==  (ed: base64 decoded: rzadmin)
    
    From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".

    Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd

  • linzhangrun an hour ago

    Common situation for small-company software...

    Backdoor passwords left for convenient debugging are not surprising anymore.

  • drnick1 6 hours ago

    And this is why I handroll my own routers/firewalls, using commodity hardware and a Linux distribution.

    • ikidd 5 hours ago

      Man, I remember doing this in the late 90s with ipchains as the only way to get a router that didn't cost an arm and a leg. Eventually consumer/prosumer routers came out.

      What's old is new again.

    • SuperMouse 3 hours ago

      Tenda has good support among OpenWRT.

      • consp 3 hours ago

        So the next step is a hardware or boot firmware backdoor?

        (Good to know it remains useful by using openWRT and doesn't become landfill)

    • matltc 5 hours ago

      Looking to do this to get off stock isp leased router. What's your hardware/distro rec?

      • drnick1 3 hours ago

        Ryzen 5 with a dual 10Gbps NIC, running Debian. Overkill for a router/firewall, but I run other services on the same hardware including an email stack, Podman containers, and small AI model for use within Home Assistant.

        I wouldn't buy new hardware. Any modest machine built in the last decade would do. If possible, get a machine with an internal ATX power supply rather than an external brick, they tend to be more reliable.

        If all you need is 1Gpbs and WiFi, OpenWrt on consumer hardware is probably enough though.

        • consp 3 hours ago

          I have a Lenovo thin client running Debian as internet gateway/firewall. With some minor modifications and a small low power blower fan you can add a dual sfp pcie card in it (not all versions can, though there are more manufacturers of thin clients with 4x pcie slots). The blower fan is because the main fan stops often and it needs some cooling.

      • dhruvrrp 5 hours ago

        Use openWrt (https://openwrt.org), and use their hardware list to pick a consumer router with the feature set you need that can be flashed to use openWrt.

  • deeddy 28 minutes ago

    I've seen it last night, and I was like wtf?! Frankly, if they tried to build in some backdoor, I bet they would have done it differently, not so obviously. This must have been some sort of stupidity done for testing purposes, and just got buried deep in the code and forgotten.

    This is the main reason why you should always use OpenWRT or other opensource router OS. If it gets an issue, at least it would get patched in the next update.

  • like_any_other 4 hours ago

    So will this finally be treated as sabotage/criminal hacking, or is it just yet another example of letting manufacturers do whatever they want to their customers without any punishment? Meanwhile if I find and publish the emails of Tenda customers that they accidentally left unprotected, I get raided by the FBI.

  • emsign 5 hours ago

    Not to sound too alarming. But

    Security holes in networking equipment

    Affects not just the compromised devices.

  • SubiculumCode 8 hours ago

    Up and out the back door, any 'ol time.

  • RetroTechie 8 hours ago

    Yet another Chinese company selling backdoor'd product. Surprise surprise...

    • cwmoore 8 hours ago

      Are you referring to the concept of “prayer?”

  • finalhacker 3 hours ago

    Almost all consumer electronics come with backdoors—especially given the prevalence of computational advertising. Before criticizing Tenda, we ought to clarify whether this is a consumer-facing (2C) or business-facing (2B) product.