Using Robots to Find Backdoors into Your Network
Using the newly released AI-assisted firmware analysis tool, Wairz, Software Secured discovered critical vulnerabilities in a number of Tenda firmware images.
Following the release of Andrew Bellini’s Wairz.ai tool earlier this year, we decided to test it out for ourselves. Bellini coordinated the release of Wairz with his disclosure of several high impact vulnerabilities affecting Tenda routers, which inspired us to focus our efforts on the same brand to see if we could achieve similar results.
Tenda is a Chinese-based manufacturer of networking devices, and while not yet popular in North America, has achieved quite a level of success in China and Asia. It seems to be somewhat reminiscent of the early days of TP Link, offering a wide range of products in the networking space with a low-level of security.
What’s with Wairz?
Using his experience as a hardware hacker, Andrew Bellini decided to develop a framework for the analysis of firmware. Rather than pass the entire task off to AI, it provides an interesting blend of automated analysis performed by scripts and an MCP server that enables your chosen agent to assist with the process of reverse engineering. Per the Wairz website, you can, “Upload firmware images, unpack them, explore the filesystem, analyze binaries, and conduct security assessments — all powered by AI analysis via Model Context Protocol (MCP).”

The tool contains a range of features including: a handy file explorer, RTOS support, SBOM & CVE scanning, emulation and fuzzing, firmware comparison, a UART console to interact with a live device, and the ability to easily export results into a report. The tool allows a hardware hacker to speed up the identification and exploitation of vulnerabilities, and provides them with many rabbit holes to explore further through manual analysis.
If you’d like to learn more, check out this video Andrew did with Matt Brown:
Target Selection
Since our goal was to determine the efficacy of Wairz, we decided to randomly select a firmware image from Tenda’s support portal for our analysis. In this case, we went with the 9 Port Gigabit Ethernet PoE Router, G0-8G-PoE; a device which would be used by a small-to-medium sized business or home office network.
Once we had selected our target, we loaded it into Wairz. The following screenshot shows the File Explorer page after loading it.

One common headache with reverse engineering firmware images is the many file formats they come in. Generally, firmware images are composed of several different partitions, with different file compression formats such as squashFS or UBI being used for compression. This can be quite challenging to handle automatically, however Wairz has achieved that with a high degree of success in my testing.
MCP Server
Once the firmware image had been decompressed, Claude Code would be able to access it through the Wairz MCP server to begin analysis.

By implementing headless Ghidra, reversing the main application binary that controls the webserver, and thus the router, was fairly straightforward. We could instruct Claude to kick off the process of reversing the binary, focusing on the identification of vulnerabilities that would allow us to achieve code execution.

End-to-end, the whole process was completed shockingly fast. Once the main vulnerabilities had been identified, the results were all viewable through the Wairz web interface for manual review.

The most interesting vulnerability identified was the one which we can see in the previous screenshot. An attacker who can access the login portal can authenticate using a hardcoded admin password, providing them with full access to the administrative interface, from which there are a handful of techniques which enable remote code execution (RCE) including command injection, simply starting a telnet shell, or including a backdoor in a firmware image. Not too bad for an hour's work!
This finding made us wonder: if we were able to find this so easily on a randomly chosen firmware image, does it apply to other Tenda devices?
Firmware Analysis Pipeline!
Our previous research on the TP Link firmware repository inspired us to once again build a pipeline, which would allow us to analyze every publicly available Tenda firmware image. However, to do so this time would be a little different, and more complex—we didn’t have an open S3 bucket to pull from.
Returning to the Tenda website’s firmware download center, seen in the following screenshot, we decided to figure out how we could scrape their downloads page.
When the page is loaded, a GET request is made to pull the listings for the most recent versions of every firmware image.

We could right-click this request, select Copy > Copy as cURL, and replay it in our terminal to see the response in a beautified format by piping it into JQ.

In the previous image, we can see that each device’s latest firmware file is returned with the file key, meaning that we could simply filter this information with JQ. By increasing the pageSize count from 20 to 100, the number of results would be increased; since the total number of devices (according to the Download Center) was 463, all we’d have to do was to iterate through this five times to obtain the URL for every device.

With a full listing of every firmware image in tow, we could build our pipeline.
This pipeline would function similarly to the TP Link pipeline; with some small modifications, we would need to:
- Pull the image.
- Unzip it.
- Decompress the firmware image.
- Check to ensure that it succeeded.
- Spin up a headless Ghidra instance to look for occurrences of the previously identified backdoor patterns, as well as a handful of other vulnerabilities we had identified.
- Export the findings to a Markdown-formatted document for review.
After some trial runs, the pipeline was working and we could set it and forget it while working on some other products.
The Verdict
8 hours later, the pipeline had completed scanning the entire Tenda firmware repository. The results can be seen in the following table:

11 of the 463 firmware images scanned were found to have the hidden backdoor account; however, almost 20% of them contained hardcoded default credentials, which could allow a remote attacker to gain access to either the web portal or one of the services running on the device, such as Telnet or SSH. Some images also contained an empty password, which would permit logging in without supplying any authentication credentials.
Disclosure
Having chatted with Andrew about his unsuccessful experience attempting to disclose vulnerabilities to Tenda, we decided to attempt to first contact them through their security contact email. Unfortunately, even after two weeks, we did not receive any response from them. Considering the severity of the vulnerabilities identified, we were not satisfied with this. Thus, we turned our attention to the Carnegie Mellon CERT to attempt to provide us assistance with this task.
Despite the severity and the several attempts to contact Tenda through various channels, neither we nor the CERT were able to elicit a response. As a result, the vulnerabilities remain unpatched and the affected Tenda routers still contain these issues.
Conclusion
What does this mean for organizations? Well, thankfully, these devices have not become popular in North America as of yet. However, given the speed at which new hardware manufacturers rise to prominence, it is not out of the question that they might some day. While the US ban on foreign-made routers was quite short-sighted—as of today there are no routers manufactured within the United States—there is an obvious security risk associated with devices which have not undergone thorough auditing.
Organizations and individual consumers must remain vigilant to the risks posed by technologies that they implement in their networks, especially those that are exposed to the web. Attackers are steadily shifting away from exploitation of edge-devices and towards social engineering or the exploitation of credentials obtained from stealer logs. However, low-hanging fruit like insecure firewalls, file transfer servers, and routers are actively and frequently exploited to gain initial access. Furthermore, despite the aforementioned trend towards social engineering, we have seen a steady increase in the number of devices that are compromised for the purpose of use in a botnet of residential proxies to route malicious traffic through or to attack other systems. Given the risks, it is likely time to evaluate the vendors that are within your network, and contemplate whether they have been sufficiently tested.

.avif)

