Tenda AX12 Pro V2 Telnet Service Hard-Coded Credentials Vulnerability

A critical vulnerability has been identified in the Tenda AX12 Pro V2 router, specifically in version 16.03.49.24_cn. The issue arises within the Telnet service, where the device uses an insecure algorithm to generate the root password for the command-line interface. Instead of allowing a secure or user-defined password, the firmware creates credentials by combining the device's MAC address with a static string embedded in the firmware, then encoding it in Base64. This flaw effectively acts as a backdoor, as the MAC address is publicly accessible and the hard-coded string is identical across all devices of this model. Consequently, an attacker can easily compute the root password for any targeted device without authentication.

Impact

Exploitation of this vulnerability grants unauthenticated root access to the device, allowing full control over the system. Attackers can modify the file system, install persistent malware, such as Mirai or Gafgyt botnets, and intercept all network traffic through the router. The vulnerability also enables mass exploitation, as the password generation flaw can be automated, allowing worms to infect multiple devices quickly. Even if the web interface password is changed, the Telnet backdoor remains active, providing a persistent access point for attackers.

Reproduction

The vulnerability can be reproduced by accessing the Telnet service on a Tenda AX12 Pro V2 router running the affected firmware version. Once connected, the hard-coded root password can be calculated by combining the device's MAC address with the static string from the firmware, and encoding the result in Base64. This password can then be used to gain root access on the device.

Remediation

Users are advised to update their firmware to the latest version and disable remote management features that expose Telnet or web interfaces to the internet. Additionally, placing IoT devices on a separate VLAN can help contain potential security breaches.