Tenda Firmware Unpatched Backdoor Allows Admin Access – Security Risk
A security researcher identified an undocumented backdoor in several Tenda firmware versions, enabling unauthorized users to gain administrative access to the device’s web management interface.
Unpatched Backdoor in Tenda Firmware
Vulnerability Details
Designated as CVE-2026-11405, the flaw resides in the login function of the web server binary and can be exploited to bypass authentication, according to the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.
Impact and Exploitation
The issue arises from a flaw in the authentication process where failed login attempts trigger a mechanism to retrieve a password value stored in the device’s configuration. The system then compares the user-supplied password against the stored value in plaintext, granting administrative privileges upon a match.
Notably, the associated username is not validated, allowing any provided username to succeed when paired with the backdoor password. This authentication mechanism remains undocumented and inaccessible through standard administrative interfaces.
Risk and Mitigation
Exploitation of this vulnerability enables attackers to alter device configurations, modify network settings, and disable security features, potentially leading to local network compromise. CERT/CC reported that no coordination with the vendor has occurred to address the flaw, and no patch has been released to mitigate the risk.
Users are advised to disable remote web management capabilities on affected devices to reduce exposure.
According to the CERT Coordination Center (CERT/CC) at Carnegie Mellon University, the issue arises from a flaw in the authentication process where failed login attempts trigger a mechanism to retrieve a password value stored in the device’s configuration.
Separate Authorization Flaw in HP Deskjet 2800 Series Printers
Vulnerability Overview
CERT/CC disclosed a separate authorization flaw in HP Deskjet 2800 series printers running firmware versions up to TBP1CN2612AR. Tracking this issue as CVE-2026-13753, the vulnerability allows unauthenticated attackers to access administrative configuration data through exposed backend API endpoints.
Risk and Exploitation
By sending GET requests, adversaries can retrieve sensitive information such as Wi-Fi Direct SSID, plaintext passphrases, printer serial numbers, service IDs, and administrative password details. The lack of authentication or session validation for these endpoints creates a critical risk, as it exposes data typically restricted to authorized users.
Current Status
CERT/CC emphasized that this flaw remains unpatched, leaving affected devices vulnerable to exploitation. No patches have been released for either vulnerability, underscoring the urgency for users to implement mitigations such as disabling unnecessary services and monitoring network traffic for suspicious activity.
