Tenda Router Has Hardcoded Credentials and Other Dangerous Vulnerabilities

Researchers found quite a few major vulnerabilities in a popular Tenda router, including one that allowed attackers to log in as root. The device hasn’t been updated in a few years, and the company has yet to respond to notifications.

Security researchers at ISE Labs investigated the Tenda AC15 AC1900 Smart Dual-band Gigabit Wi-Fi router, and what they found is both worrying and predictable. Just last week, a Fraunhofer study looked at how often commercial routers are updated at some of the common vulnerabilities. They found that, on average, popular commercial routers haven’t received an update in the past year, and some for even longer.

The researchers who looked at the AC15 AC1900 noted that they tested the 15.03.05.19 version of the firmware and that Tenda hasn’t updated the firmware from 2017, but the 2019 firmware version is still available to download from Tenda’s US website.

“Our research efforts uncovered 5 CVEs with concerning ramifications for the firmware running on the Tenda AC15 AC1900,” said SanjanaSarda, a security analyst at ISE Labs. “It is worth mentioning that the exploitation of these vulnerabilities can be leveraged as part of a botnet to potentially attack external systems and other systems residing on the internal network,” she explained.

A few of the vulnerabilities are not that uncommon, including insufficient request validation, insufficient data validation and sanitation, and remote code execution. But the genuinely problematic stuff comes from hard-coded credentials, which can be used to gain access via an open Telnet port.

“Although the telnet daemon gives us root access to the router, we should be able to further exploit the vulnerabilities we have found so far to also start a persistent reverse shell on the device,” says Sarda.

All of these vulnerabilities would allow attackers to compromise the devices and cause a persistent denial of service condition. The vulnerabilities may extend to other devices in the same family, and since Tenda has yet to respond to the researchers, the vulnerabilities are still there and ready to be exploited.