Software Secured Company Logo.
Services
Services
WEB, API & MOBILE SECURITY

Manual reviews expose logic flaws, chained exploits, and hidden vulnerabilities

Web Application Pentesting
Mobile Application Pentesting
Secure Code Review
Infrastructure & Cloud Security

Uncovers insecure networks, lateral movement, and segmentation gaps

External Network Pentesting
Internal Network Pentesting
Secure Cloud Review
AI, IoT & HARDWARE SECURITY

Specialized testing validates AI, IoT, and hardware security posture

AI Pentesting
IoT Pentesting
Hardware Pentesting
ADVANCED ADVERSARY SIMULATIONS

We simulate attackers, exposing systemic risks executives must address

Red Teaming
Social Engineering
Threat Modelling
PENETRATION TESTING AS A SERVICE

PTaaS provides continuous manual pentests, aligned with release cycles

Penetration Testing as a Service
OWASP TOP 10 TRAINING

Practical security training strengthens teams, shifting security left effectively

Secure Code Training

Ethical Hacking

Services Overview

Black arrow icon

Enterprise Deal Support

Services Overview

Black arrow icon
Ready to get started?
Identify real vulnerabilities confidently with zero-false-positive penetration testing
Learn More
Industries
Industries
INDUSTRIES
Data and AI

AI pentesting uncovers adversarial threats, ensuring compliance and investor trust

Healthcare

Penetration testing protects PHI, strengthens compliance, and prevents healthcare breaches

Finance

Manual pentests expose FinTech risks, securing APIs, cloud, and compliance

Security

Penetration testing validates SecurTech resilience, compliance, and customer trust

SaaS

Pentesting secures SaaS platforms, proving compliance and accelerating enterprise sales

CASE STUDY

“As custodians of digital assets, you should actually custodize assets, not outsource. Software Secured helped us prove that our custody technology truly delivers on that promise for our clients in both the cryptocurrency and traditional finance”

Nicolas Stalder,
CEO & Co-Founder, Cordial Systems
Black arrow icon
Ready to get started?
Our comprehensive penetration testing and actionable reports have 0 false positives so you can identify
Learn More
Compliance
Compliance
COMPLIANCE
SOC 2 Penetration Testing

Pentesting validates SOC 2 controls, proving real security to auditors and customers

HIPAA Penetration Testing

Manual pentesting proves HIPAA controls protect PHI beyond documentation

ISO 27001 Penetration Testing

Pentests uncover risks audits miss, securing certification and enterprise trust

PCI DSS Penetration Testing

Pentesting validates PCI DSS controls, protecting sensitive cardholder data

GDPR Penetration Testing

GDPR-focused pentests reduce breach risk, regulatory fines, and reputational loss

CASE STUDY

“Software Secured’s comprehensive approach to penetration testing and mobile expertise led to finding more vulnerabilities than our previous vendors.”

Kevin Scully,
VP of Engineering, CompanyCam
Black arrow icon
Ready to get started?
Our comprehensive penetration testing and actionable reports have 0 false positives so you can identify
Learn More
PricingPortal
Resources
Resources
resources
Blogs
Case Studies
Events & Webinars
Partners
Customer Testimonials
News & Press
Guides and Checklists
About Us
cybersecurity and secure authentication methods.
Black arrow icon
API & Web Application Security Testing

Attack Chains: The Hidden Weakness in Modern API & Web Application Security

Alexis Savard
November 21, 2025
Ready to get started?
Our comprehensive penetration testing and actionable reports have 0 false positives so you can identify
Learn More
Login
Book a Consultation
Deal Blocked?
Blog
/
Security Research
/
AI Penetration Testing Services

Using Robots to Find Backdoors into Your Network

Using the newly released AI-assisted firmware analysis tool, Wairz, Software Secured discovered critical vulnerabilities in a number of Tenda firmware images.

By Julian B
・
10 min read
Table of contents
Text Link
Text Link

Get security insights straight
to your inbox

Following the release of Andrew Bellini’s Wairz.ai tool earlier this year, we decided to test it out for ourselves. Bellini coordinated the release of Wairz with his disclosure of several high impact vulnerabilities affecting Tenda routers, which inspired us to focus our efforts on the same brand to see if we could achieve similar results. 

Tenda is a Chinese-based manufacturer of networking devices, and while not yet popular in North America, has achieved quite a level of success in China and Asia. It seems to be somewhat reminiscent of the early days of TP Link, offering a wide range of products in the networking space with a low-level of security.  

‍What’s with Wairz?

Using his experience as a hardware hacker, Andrew Bellini decided to develop a framework for the analysis of firmware. Rather than pass the entire task off to AI, it provides an interesting blend of automated analysis performed by scripts and an MCP server that enables your chosen agent to assist with the process of reverse engineering. Per the Wairz website, you can, “Upload firmware images, unpack them, explore the filesystem, analyze binaries, and conduct security assessments — all powered by AI analysis via Model Context Protocol (MCP).”

Wairz

The tool contains a range of features including: a handy file explorer, RTOS support, SBOM & CVE scanning, emulation and fuzzing, firmware comparison, a UART console to interact with a live device, and the ability to easily export results into a report. The tool allows a hardware hacker to speed up the identification and exploitation of vulnerabilities, and provides them with many rabbit holes to explore further through manual analysis. 

If you’d like to learn more, check out this video Andrew did with Matt Brown:

Target Selection

Since our goal was to determine the efficacy of Wairz, we decided to randomly select a firmware image from Tenda’s support portal for our analysis. In this case, we went with the 9 Port Gigabit Ethernet PoE Router, G0-8G-PoE; a device which would be used by a small-to-medium sized business or home office network. 

Once we had selected our target, we loaded it into Wairz. The following screenshot shows the File Explorer page after loading it.

a firmware image from Tenda’s support portal

One common headache with reverse engineering firmware images is the many file formats they come in. Generally, firmware images are composed of several different partitions, with different file compression formats such as squashFS or UBI being used for compression. This can be quite challenging to handle automatically, however Wairz has achieved that with a high degree of success in my testing.

‍MCP Server‍

Once the firmware image had been decompressed, Claude Code would be able to access it through the Wairz MCP server to begin analysis.

Wairz MCP server

By implementing headless Ghidra, reversing the main application binary that controls the webserver, and thus the router, was fairly straightforward. We could instruct Claude to kick off the process of reversing the binary, focusing on the identification of vulnerabilities that would allow us to achieve code execution.

claude identifying vulnerabilities

End-to-end, the whole process was completed shockingly fast. Once the main vulnerabilities had been identified, the results were all viewable through the Wairz web interface for manual review. 

 Wairz web interface

The most interesting vulnerability identified was the one which we can see in the previous screenshot. An attacker who can access the login portal can authenticate using a hardcoded admin password, providing them with full access to the administrative interface, from which there are a handful of techniques which enable remote code execution (RCE) including command injection, simply starting a telnet shell, or including a backdoor in a firmware image. Not too bad for an hour's work!

This finding made us wonder: if we were able to find this so easily on a randomly chosen firmware image, does it apply to other Tenda devices? 

Firmware Analysis Pipeline!

Our previous research on the TP Link firmware repository inspired us to once again build a pipeline, which would allow us to analyze every publicly available Tenda firmware image. However, to do so this time would be a little different, and more complex—we didn’t have an open S3 bucket to pull from. 

Returning to the Tenda website’s firmware download center, seen in the following screenshot, we decided to figure out how we could scrape their downloads page. 

When the page is loaded, a GET request is made to pull the listings for the most recent versions of every firmware image.

Tenda website’s firmware download center

We could right-click this request, select Copy > Copy as cURL, and replay it in our terminal to see the response in a beautified format by piping it into JQ. 

screenshot of terminal

In the previous image, we can see that each device’s latest firmware file is returned with the file key, meaning that we could simply filter this information with JQ. By increasing the pageSize count from 20 to 100, the number of results would be increased;  since the total number of devices (according to the Download Center) was 463, all we’d have to do was to iterate through this five times to obtain the URL for every device.

screenshot of terminal

With a full listing of every firmware image in tow, we could build our pipeline.

This pipeline would function similarly to the TP Link pipeline; with some small modifications, we would need to:

  1. Pull the image.
  2. Unzip it.
  3. Decompress the firmware image.
  4. Check to ensure that it succeeded. 
  5. Spin up a headless Ghidra instance to look for occurrences of the previously identified backdoor patterns, as well as a handful of other vulnerabilities we had identified.
  6. Export the findings to a Markdown-formatted document for review.

After some trial runs, the pipeline was working and we could set it and forget it while working on some other products. 

The Verdict

8 hours later, the pipeline had completed scanning the entire Tenda firmware repository. The results can be seen in the following table:

results from completed scanning the entire Tenda firmware repository

11 of the 463 firmware images scanned were found to have the hidden backdoor account; however, almost 20% of them contained hardcoded default credentials, which could allow a remote attacker to gain access to either the web portal or one of the services running on the device, such as Telnet or SSH. Some images also contained an empty password, which would permit logging in without supplying any authentication credentials. 

Disclosure

Having chatted with Andrew about his unsuccessful experience attempting to disclose vulnerabilities to Tenda, we decided to attempt to first contact them through their security contact email. Unfortunately, even after two weeks, we did not receive any response from them. Considering the severity of the vulnerabilities identified, we were not satisfied with this. Thus, we turned our attention to the Carnegie Mellon CERT to attempt to provide us assistance with this task. 

Despite the severity and the several attempts to contact Tenda through various channels, neither we nor the CERT were able to elicit a response. As a result, the vulnerabilities remain unpatched and the affected Tenda routers still contain these issues. 

Conclusion

What does this mean for organizations? Well, thankfully, these devices have not become popular in North America as of yet. However, given the speed at which new hardware manufacturers rise to prominence, it is not out of the question that they might some day. While the US ban on foreign-made routers was quite short-sighted—as of today there are no routers manufactured within the United States—there is an obvious security risk associated with devices which have not undergone thorough auditing. 

Organizations and individual consumers must remain vigilant to the risks posed by technologies that they implement in their networks, especially those that are exposed to the web. Attackers are steadily shifting away from exploitation of edge-devices and towards social engineering or the exploitation of credentials obtained from stealer logs. However, low-hanging fruit like insecure firewalls, file transfer servers, and routers are actively and frequently exploited to gain initial access. Furthermore, despite the aforementioned trend towards social engineering, we have seen a steady increase in the number of devices that are compromised for the purpose of use in a botnet of residential proxies to route malicious traffic through or to attack other systems. Given the risks, it is likely time to evaluate the vendors that are within your network, and contemplate whether they have been sufficiently tested. 

Ready to get in touch? Get started by booking a consultation now.

Book Consultation

About the author

Julian B

Penetration Tester

Julian is an intermediate penetration tester with nearly five years of experience working in cybersecurity, dedicated to penetration testing, open-source intelligence gathering, and moving the needle forward for organizations across Canada. He regularly engages with the community through presentations at conferences, on a range of topics including vulnerability research and OSINT investigations. This is work is underlined by several CVEs which have been attributed to his research on open-source applications.

Get security insights straight to your inbox

Continue your reading with these value-packed posts

Black arrow icon
Security Research

Hidden Dangers in Less.js: XSS, SSRF, and Remote Code Execution

Sherif Koussa
Sherif Koussa
7 min read
February 25, 2026
20 Cybersecurity Statistics for SMB's
Black arrow icon
Penetration Testing Services

20 Cybersecurity Statistics for SMB's

Cate Callegari
Cate Callegari
11 min read
March 17, 2023
The Ultimate Guide to Software Penetration Testing
Black arrow icon
DevSecOps & Shift‑left Security

The Ultimate Guide to Software Penetration Testing: Safeguarding Agile Development, Data, and Compliance

Sherif Koussa
Sherif Koussa
9 min read
December 11, 2024

Helping companies identify, understand, and solve their security gaps so their teams can sleep better at night

Book a Consultation
Centralize pentest progress in one place
Canadian based, trusted globally
Actionable remediation support, not just findings
Clutch logo
Web, API, Mobile Security
Web App PentestingMobile App PentestingSecure Code Review
Infrastructure & Cloud Security
External Network PentestingInternal Network PentestingSecure Cloud Review
AI, IoT & Hardware Security
AI PentestingIoT PentestingHardware Pentesting
More
PricingPortalPartnersContact UsAbout UsOur TeamCareers
More Services
Pentesting as a ServiceSecure Code Training
Industries
Data and AIFinanceHealthcareSecuritySaaS
Compliance
GDPR PentestingHIPAA PentestingISO 27001 PentestingPCI DSS PentestingSOC 2 Pentesting
Resources
BlogsCase StudiesEvents & WebinarsCustomer TestimonialsNews & PressWhitepapers
More
PricingPortalPartnersContact UsAbout UsOur TeamCareers
Resources
BlogsCase StudiesEvents & WebinarsCustomer TestimonialsNews & PressWhitepapers
Comparisons
Software Secured vs Cobalt
Security & CompliancePrivacy PolicyTerms & Conditions
2026 ©SoftwareSecured