CVE-2026-11405

The web server binary /bin/httpd contains a hidden backdoor authentication mechanism in the login() function at 004c88b8. - The function contains a normal authentication path using MD5/hash-based password verification (prod_encode64/PasswordToMd5/check_rand_key). - After normal authentication fails, it calls GetValue("sys.rzadmin.password") to read a backdoor password from the device configuration. - It performs a direct strcmp() comparison (plaintext, not hashed) between the config value and the user-supplied password. A successful match grants role=2 (admin-level access) and creates a valid session. The rzadmin username is never checked — any username works with the backdoor
Configurations

No configuration.

History

08 Jul 2026, 14:16

Type Values Removed Values Added
CVSS v2 : unknown
v3 : unknown
v2 : unknown
v3 : 9.8

06 Jul 2026, 21:16

Type Values Removed Values Added
References
  • () https://www.kb.cert.org/vuls/id/213560 -

06 Jul 2026, 20:16

Type Values Removed Values Added
New CVE

Information

Published : 2026-07-06 20:16

Updated : 2026-07-08 14:16


NVD link : CVE-2026-11405

Mitre link : CVE-2026-11405

CVE.ORG link : CVE-2026-11405


JSON object : View

Products Affected

No product.

CWE

No CWE.