Tenda Mx12 Firmware [ 1080p – 8K ]

# Using binwalk to carve the squashfs $ binwalk -Me Tenda_MX12_V1.0.0.24_EN.bin 256 0x100 TRX firmware header, image size: 14876672 bytes 512 0x200 LZMA compressed data 1456128 0x163800 Squashfs filesystem, little endian, version 4.0

An authenticated attacker (or any user on the LAN if the session check is bypassed) can inject arbitrary commands via the ping diagnostic tool. Example: Tenda Mx12 Firmware

Using a simple Python script, we triggered a crash dump: # Using binwalk to carve the squashfs $

The Tenda MX12 is a textbook case of "cheap hardware, dangerous software." While it works fine as a basic access point, its security posture is unacceptable for any environment containing sensitive data. Unless Tenda releases a complete rewrite (unlikely), we recommend avoiding this product entirely. else if (strstr(cmd

Disclosure timeline: Reported to Tenda Security (security@tenda.com.cn) on Jan 12, 2026 – no acknowledgment as of April 17, 2026.

// Pseudocode reversed from libhttpd.so (Ghidra) void do_debug_cmd(char *cmd) char buf[256]; if (strcmp(cmd, "tendadebug2019") == 0) // Hidden factory reset + diagnostic dump system("/usr/sbin/factory_reset.sh --full"); system("/usr/sbin/dump_regs > /tmp/debug.log"); else if (strstr(cmd, "ping")) // Command injection primitive sprintf(buf, "ping -c 4 %s", cmd + 4); system(buf);

No CSRF token validation exists on this endpoint. Using strings on the squashfs root, we discovered: