It looks like recent Tenda hardware/firmware is encrypted per below examples, making it harder to audit.
binwalk US_AC10V6.0si_V16.03.62.09_multi_TDE01.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
516 0x204 OpenSSL encryption, salted, salt: 0x436999A39FECA649
binwalk US_BE12ProV1.0mt_V16.03.66.23_TD01.bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
516 0x204 OpenSSL encryption, salted, salt: 0x81235B7D4130B6AB
The third attempt I tried was unencrypted, and possibly reveals the problem exists on another model this CVE doesn't list as affected:
binwalk US_W18EV2_kf_V16.01.0.20\(4766\)_HighPower\ \(1\).bin
DECIMAL HEXADECIMAL DESCRIPTION
--------------------------------------------------------------------------------
64 0x40 uImage header, header size: 64 bytes, header CRC: 0x95335734, created: 2026-06-16 09:09:35, image size: 2159135 bytes, Data Address: 0x80100000, Entry Point: 0x805F41C0, data CRC: 0x5ABEDB00, OS: Linux, CPU: MIPS, image type: OS Kernel Image, compression type: lzma, image name: "MIPS Tenda Linux-4.14.90"
128 0x80 LZMA compressed data, properties: 0x6D, dictionary size: 8388608 bytes, uncompressed size: 6947248 bytes
2159263 0x20F29F Squashfs filesystem, little endian, version 4.0, compression:xz, size: 8971644 bytes, 847 inodes, blocksize: 1048576 bytes, created: 2026-06-16 08:53:20
Inside is /squashfs-root/webroot_ro/default_ac.cfg which offers:
sys.rzadmin.username=rzadmin
sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin)
sys.guest.username=guest
sys.guest.password=Z3Vlc3Q= (ed: base64 decoded: guest)
And /squashfs-root/webroot_ro/default_router.cfg which offers:
sys.rzadmin.username=rzadmin
sys.rzadmin.password=cnphZG1pbg== (ed: base64 decoded: rzadmin)
From what I can see quickly (I haven't looked hard), "sys.rzadmin.password" is only referenced from the login() function of /bin/httpd in the context of retrieving a value. This value is retrieved and compared before the error message "login err: password is wrong." is emitted. I can't find any other reference to code in any part of the firmware that may allow a user to change the default value of "sys.rzadmin.password".
Also for fun there is a function imsd_upload_log_v1 in /bin/imsd that collects SSIDs, MACs, IP addresses, sys.admin.username, sys.rzadmin.username, timezone, and another function imsd_remote_pwd_get in /bin/imsd that retrieves sys.admin.password. Related library /lib/lubucapi.so also looks like a fun binary to inspect more closely as it contains a command set that seemingly allows either cloud management of Tenda routers and/or remote debugging, and possibly is why imsd_remote_pwd_get exists in /bin/imsd