Hidden Backdoor Authentication in Web Server Binary by Vendor
CVE-2026-11405
What is CVE-2026-11405?
The web server binary '/bin/httpd' contains a vulnerability that enables a hidden backdoor authentication mechanism within its login function. This flaw allows unauthorized access by reading a backdoor password from the device configuration file if normal authentication fails. Using a direct comparison, the system checks the provided password against the plaintext backdoor password without any hashing or secure verification methods. This design flaw not only bypasses standard password checks but also allows any username to be used, significantly elevating the risk of unauthorized administrative access to the system.
Affected Version(s)
firmware US_AC6V2.0RTL_V15.03.06.51_multi_T
firmware US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
firmware US_AC10V1.0re_V15.03.06.46_multi_TDE01