The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8.
- The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key).
- After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration.
- It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password.
A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
References
Configurations
No configuration.
History
08 Jul 2026, 14:16
| Type | Values Removed | Values Added |
|---|---|---|
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.8 |
06 Jul 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| References |
|
06 Jul 2026, 20:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-07-06 20:16
Updated : 2026-07-08 14:16
NVD link : CVE-2026-11405
Mitre link : CVE-2026-11405
CVE.ORG link : CVE-2026-11405
JSON object : View
Products Affected
No product.
CWE
No CWE.
