https://boschko.ca/tenda_ac1200_router/
Spoiler: it's "rzadmin". And it looks like there are a bunch of other goodies in the firmware, too.
I remember when a backdoor was discovered in the most popular brand of keylogging devices[0], likely added there in case someone forgot their password and reached out to support.
[0] https://old.reddit.com/r/cybersecurity/comments/jw6k5v/backd...
This is my guess. People don't like it when a device they have turns into a brick of e-waste because they can't remember their password. So most consumer devices have either a "reset to defaults" feature or a hidden support password. Even enterprise routers and switches often have this.
So after a quick test, it was decided to deploy the debug version of just the frontend as a bandaid. Next day we saw we managed to deploy the debug version of the backend with admin stuff like this as well..
This being said makes the situation for an attacker awfully convenient...
I know this from personal experience.
- What did you think was going on?
Jack Black: Oh, I thought it was an STO.
- STO?
Jack Black: Standard Training Op.
I think sufficiently explained by incompetence over malice applies here. Some nefarious three letter agency having a backdoor like this is pretty pointless anyway.
Unless you’ve enabled remote management you can’t even get to this backdoor from a physical network perspective.
And then you change some router settings which really aren’t a magical access point into your devices in your home. My PC isn’t just going to magically allow you to browse the file system just because a malicious actor got on my local network. They can’t intercept anything moving over TLS.
Not saying it’s good to have that kind of access, but I think at the scale of “typical home network of consumer devices” the utility and blast radius is pretty limited. Go ahead and launch a DDOS attack on my printer and use up my ink cartridges, I guess.
I think we could stop reflexively defaulting to “incompetence” when the end result just as easily resembles a deliberate exploit. Plausible deniability is an extremely effective cover when it’s smartly applied.
I’m not disputing any of your specific technical points; my cynicism is thematic. Even when I try to muzzle it, it tends to get through. The parent comment, though short, is dense with implications about cheap gear, opaque firmware, exposure surfaces I think deserve more sustained attention.
* A quick, generic, maybe sub-ideal list to harden my point.
Plausible deniability is important.
A lot of the stuff I worked on already had glaring issues like that without me having to add it..
“Never attribute to malice that which is adequately explained by stupidity.”
I think it's true to some extent that a lot of the backdoors really are just stupidity, like debugging tools put into prod for convenience. Rather than suggesting that it is genuine malice, maybe the right thing to say is that for security, it doesn't matter whether or not it is malice for most purposes. If it did, it would give more incentive to do as much as possible to disguise malicious backdoors as mistakes.
It's really a matter of context. Security people tend to only be involved when things are already nefarious where as boring old normal people like us see get to see the mundane everyday mistakes so not just the nefarious bits.
I work heavily with security-conscious clients where vulnerabilities would be catastrophic. And we are talking high profile clients that are juicy target for attacks.
My experience is still that the vast majority of vulnerabilities are accidental rather than due to malice.
And when I say “vast”, I mean the so heavily slanted in favour of “unintended” that it’s not even comparable.
> It's really a matter of context. Security people tend to only be involved when things are already nefarious
I’m guessing you’ve not worked with many “security people”?
It's possible the backdoor is deliberate, I have no idea in this particular case, but the more likely situation, absent more information, is that someone who is earning a middling wage just added the "feature" and didn't think about the security implications because no one cares about computer security.
Looking at the IT security landscape we see every layer, every product category if not every product itself riddled with issues at one point or another. At the same time the incentives to put those security issues in are huge, and we know attackers work systematic, creative and persistent to introduce those weak points.
Security is hard and many bugs certainly happen due to mistakes, but I wouldn't assume that all of those security mishaps stem from an endless series of blunders from "stupid" programmers.
So I would go with “Never attribute to ignorance that which is adequately explained by malice.”
The saying doesn’t mean that all vulnerabilities are blunders. It means we shouldn’t automatically assume vulnerabilities are nefarious.
If closer inspection proves beyond reasonable doubt that it was placed there deliberately and maliciously then that’s different.
But the point is most vulnerabilities are blunders so it’s better to assume that until proven otherwise.
So in English it would be like "dcadmin". Maybe they outsourced it to someone doing "gute Deutsche Wertarbeit", or it's a leftover from some agency having had their fun, or smoke&mirrors from whomever for whichever reasons.
Great. I am really wondering why should the customers trust these manufacturers.
At this point I would not use any router with vendor-provided black box firmware. Full stop.
I would always install OpenWRT or something similar on it before using it.
And if that is not possible for whatever reason, I would not even think about buying such a device.
This capabilities are crucial to have decent coverage, signal strength and throughput where I live (i.e.: crowded/congested wireless networks in an apartment complex).
Did OpenWRT team managed to work around them, or did the manufacturers started to play nicer with open drivers with loadable firmware?
Currently my primary shitty box router does everything wrt external connectivity and a bought AP/router sits inside offering WiFi. I'd like to remove that AP completely with a WiFi adaptor controlled by my shitty box, but I've not got around to that as it would mean learning to configure a mesh (and so at least one more of my own shitty boxes!) to get good coverage everywhere (I only have a small place, but there are still a couple of blind-ish spots depending on where I put the primary AP). Not trusting a bought router/AP to not have back doors like this raises the question: if they are going to add backdoors for direct outside connections, what is to stop the firmware instead/also trying to tunnel out and letting unwanted connections in that way? (other than this having less “plausible deniability” once discovered)
No. None of the local ISPs offer speeds above 1 Gbps.
However, I use FriendlyElec NanoPi R5C as the main entrypoint router. It has two 2.5G ethernet ports. It costs less than 100 euros. And it runs OpenWRT.
It is not a multiport, multi-gigabit device though. And I have not tested it above 1 Gbps so I am unsure about its real world performance.
I was unfamiliar with Tenda.
> Shenzhen Tenda Technology Co.,Ltd. ( https://www.tendacn.com/us/profile )
Tenda may just rebrand, right? It seems like many chinese brands will either rebrand or have a 'competing' brand with the same internals but different externals. (I have no idea if Tenda does this, I've just seen it previously. Specifically with security cameras)
I wish the authors provided some method for checking this vulnerability other than fw version. It seems like Tenda could just change the password and say "yep! all safe now"
I have an ethernet over power adapter somewhere in a cupboard from perhaps 10 years ago.
Back then it was standard for the admin password to be 'admin'. They'd often even print it on the device itself.
Yes but aren't you supposed to change that one? The problem with the rzadmin is that it will continue to work even after you change the regular admin one...
I have a small Tenda 5-port gigabit dumb switch. It uses the same switch chip as this TP-Link, just with different branding; even the "SG105" model number is the same:
https://goughlui.com/2022/02/27/unbox-teardown-tp-link-tl-sg...
And it’s always amateur hour backdoors somehow. If it was something sophisticated they might get a pass on „ok some security agency made them do it probably“
Or the amateur hour backdoors are there to be found.
Also honest take this looks less like a "backdoor" (implies malicious - this is a link to a CVE after all) and more like a developer access credential/default credential that was burned into the firmware (i'd imagine the code remains but on a production run they randomize the key so its non-guessable but then you get lazy and dont run that extra step and this slips in/you burn the bare firmware with no production configs).
I have a free give-away mikrotik unit in the same price bracket (literally free: they were both conference give-aways) it's physically smaller and it runs what appears to be their mainline code. Say what you like about microtik for quality, they provide pretty much every knob and frob you could want.
My Macbook is permanently locked out of Cox's hotspot system (used in some U.S. hotels) because the password was given to me on a tiny label which I couldn't read as a blind person except through OCR, and the OCR was wrong a few too many times.
Gets hard when you bring "smart" TV's to the table. They're going to need to expose into this system somewhat 'credential-free' but if you do it off MAC address then a determined user could disconnect, find MAC, clone ...
What's old is new again.
(Good to know it remains useful by using openWRT and doesn't become landfill)
I wouldn't buy new hardware. Any modest machine built in the last decade would do. If possible, get a machine with an internal ATX power supply rather than an external brick, they tend to be more reliable.
If all you need is 1Gpbs and WiFi, OpenWrt on consumer hardware is probably enough though.
binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
516 0x204 OpenSSL encryption, salted, salt: 0x436999A39FECA649
binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
516 0x204 OpenSSL encryption, salted, salt: 0x81235B7D4130B6AB
The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
64 0x40 uImage header, header size: 64 bytes, header CRC: 0x95335734, created: 2026-06-16 09:09:35, image size: 2159135 bytes, Data Address: 0x80100000, Entry Point: 0x805F41C0, data CRC: 0x5ABEDB00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Tenda Linux-4.14.90"
128 0x80 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 6947248 bytes
2159263 0x20F29F Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8971644 bytes, 847 inodes, blocksize: 1048576 bytes, created: 2026-06-16 08:53:20
Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers: sys.rzadmin.username=rzadmin
sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin)
sys.guest.username=guest
sys.guest.password=Z3Vlc3Q= (ed: base64 decoded: guest)
And /squashfs-root/webroot_ro/default_router.cfg which offers: sys.rzadmin.username=rzadmin
sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin)
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd
reminds me of a bug I found in some tplink router it compared passwords of 3 different users but that table was empty so basically 15 NULL bytes would log you in as admin lol
Backdoor passwords left for convenient debugging are not surprising anymore.
And if you ever looked inside the firmwares of these IoT Linux boxes (be it sip phones, payment terminals, ip cameras, routers, modems, etc.) you'd not want it anywhere near anything that needs to be secure. OpenWRT or your own thing, or very strict isolation, or nothing.
Security holes in networking equipment
Affects not just the compromised devices.
https://www.schneier.com/wp-content/uploads/2016/09/paper-ke...
This is the main reason why you should always use OpenWRT or other opensource router OS. If it gets an issue, at least it would get patched in the next update.
Barracuda Networks: https://krebsonsecurity.com/2013/01/backdoors-found-in-barra...
Fortinet: https://community.spiceworks.com/t/hard-coded-password-backd...
Korenix: https://sec-consult.com/vulnerability-lab/advisory/backdoor-...
The fact that the password is "rzadmin" makes it a lot more likely that this is just run of the mill stupidity, and not something more nefarious: you'd want a backdoor that isn't blindingly obvious and usable by the CIA.