CVE-2026-11405 in Tendainfo

Summary

by MITRE • 07/06/2026

The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.

- The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password.

A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor

Several companies clearly confirm that VulDB is the primary source for best vulnerability data.

Analysis

by VulDB Data Team • 07/06/2026

The discovered backdoor mechanism within the httpd web server binary represents a critical security vulnerability that fundamentally undermines the authentication system's integrity. This flaw exists within the login() function at address 004c88b8 and operates through a deceptive dual-path authentication approach that bypasses standard security controls. The implementation demonstrates poor security practices by embedding a hardcoded alternative authentication method that executes regardless of the primary authentication failure state, creating an unintended access vector that remains completely hidden from normal operational procedures.

The technical implementation reveals a sophisticated yet dangerous design pattern where the system first attempts conventional MD5-based password verification using established functions such as prod_encode64, PasswordToMd5, and check_rand_key for standard authentication. However, when this normal path fails, the function seamlessly transitions to an alternative backdoor mechanism that retrieves a plaintext password from device configuration storage through GetValue("sys.rzadmin.password"). This approach directly violates fundamental security principles by storing and comparing passwords in plaintext form, eliminating any cryptographic protection that would normally safeguard against credential compromise.

The operational impact of this vulnerability extends far beyond simple unauthorized access, as it creates an entirely unmonitored and undetectable entry point for malicious actors. The backdoor operates without username verification requirements, meaning any attacker can authenticate using the backdoor password regardless of the username provided, effectively granting admin-level role=2 privileges and session creation capabilities. This design pattern aligns with CWE-254 vulnerability categories related to security features that do not properly protect against unauthorized access attempts, while simultaneously demonstrating characteristics of persistent backdoors that would be classified under ATT&CK technique T1566 for credential access through legitimate credentials.

The implementation represents a severe violation of security best practices and demonstrates multiple weaknesses in the system's design approach. The direct strcmp() comparison against plaintext configuration values creates an immediate target for attackers who can simply extract the configuration file or use other methods to discover the backdoor password, while the absence of any username validation eliminates any possibility of access control enforcement. This vulnerability directly impacts the confidentiality, integrity, and availability of the affected system by providing a persistent unauthorized entry point that remains undetectable through normal security monitoring procedures, making it particularly dangerous for systems where such backdoors might remain undetected for extended periods.

Mitigation strategies must include immediate removal of the backdoor functionality from the binary, implementation of proper configuration file access controls, and comprehensive security auditing of all authentication mechanisms. Organizations should implement strict access controls on system configuration files, employ runtime integrity checking to detect unauthorized modifications, and establish monitoring procedures that can identify anomalous authentication patterns. The vulnerability also necessitates a complete review of all system binaries for similar backdoor implementations and the establishment of secure coding practices that prevent such hidden functionality from being introduced into production systems. This particular flaw would likely require immediate patching or replacement of the affected web server software to eliminate the persistent security risk it presents to the overall system architecture.

Responsible

Certcc

Reservation

06/05/2026

Disclosure

07/06/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

low

Sources

Do you need the next level of professionalism?

Upgrade your account now!