AI-Powered Application Penetration Testing—Scale Security Without Compromise Learn More

Image
Episode 25  •  Jul 10, 2026  •  38 Min

Old Backdoors, Ghost Phishing, and Borrowed AI

Three stories on the table this week. A CERT advisory calls a hidden Tenda router login path an undocumented backdoor, but the credential has sat in the vendor's own documentation since 2019. A phishing kit called EvilTokens ships pages that don't exist until a victim's browser builds them. And CISA turned Anthropic's Mythos model loose on the government's own code, while the two sides are still negotiating who's allowed to run it. Here's what stood out from the operator chair.

CERT called it a new backdoor. Tenda's own documentation called it a feature back in 2019. CERT/CC's advisory on CVE-2026-11405 warns that several Tenda router builds will accept a hidden password if the real one fails, no patch, no reply from the vendor. In addition to our crew's commentary, we were joined by special guest Matt Evans, an IoT security researcher who has been sitting on this exact credential for years, documented in Tenda's own user guide since 2019 and written up again in 2022. The real undocumented backdoor sits one screen over: unchangeable guest/guest credentials that also grant admin. Nobody's chasing bugs like this because nobody can afford to. ZDI and SSD Disclosure list Tenda out of scope; paying bounty rates on a vendor closing in on 2,000 CVEs in four years would bankrupt a program. A known-bad vendor gets to age quietly out of view until a fresh CVE number turns the same bug back into news.

Nothing shows up in a scanner for a phishing page that doesn't exist yet. Researchers are tracking EvilTokens, a phishing-as-a-service kit that ships victims an empty, encrypted page; only a real browser's JavaScript decrypts the actual Microsoft device-code login flow underneath. The victim never hands over a password. They complete a genuine Microsoft sign-in and, without realizing it, authorize the attacker's session instead of their own. That's a stolen token, not a stolen credential, running on a clock instead of forever. What that window is worth depends on how far an org's single sign-on reaches: a firm wired deep into Azure and a dozen SaaS tools hands over far more than a hospital on a separate card-swipe network. The kit is clever, but the move underneath it is old: find the widest blast radius and go there first.

Handing your own code to the same model an attacker could use doesn't close the gap between them, it just moves the race faster. Reuters reports CISA's Attack Surface Evaluation team is running Anthropic's Mythos model against government code and has already turned up a large number of vulnerabilities, even while Anthropic and the White House are still negotiating who gets to run the model at all. Faster bug-finding on defense sounds like a win, but it doesn't touch the asymmetry underneath: an attacker needs one open door, a defender has to lock every one and keep it locked. There's a governance question here too: a vendor labeled a supply-chain risk one quarter and auditing government code the next is a policy statement with no stated penalty, and policies without enforcement get priced in, not respected. Better tooling raises the floor. It doesn't touch the part of the job that was always hardest: deciding what to fix first.

Security Headlines:


Sean McMillan Headshot

Sean McMillan

Community Manager

Sean McMillan is Community Manager at Bishop Fox, focused on making complex security topics easier to understand and more interesting to follow. He holds a bachelor’s degree in Mass Communication and Media Studies from Arizona State University and brings over a decade of experience in podcasting, live hosting, and audience engagement. As host of Initial Access, he works with practitioners to explore how real-world attacks actually happen.


Richard Brown headshot

Richard Brown

Senior Managing Operator II

Richard Brown is a Senior Managing Operator II at Bishop Fox, where he leads a team focused on emerging threats, customer notification, exploit development, automation, and operational innovation. He partners across the organization to enhance attack surface intelligence capabilities and deliver actionable security insights to customers.

With more than 15 years of experience in cybersecurity, consulting, and law enforcement, Richard has specialized in threat intelligence, offensive security, and investigative analysis. His background as a detective in the Intelligence Division of the St. Louis Metropolitan Police Department helps shape his attacker-focused approach to identifying and understanding threats.


Sergio Villegas BF Headshot

Sergio Villegas

Sr. Managing Analyst II

Sergio Villegas is a Sr. Managing Analyst II in the Attack Surface Intelligence team at Bishop Fox where he is one of the lead researchers. His main areas of focus are emerging threats, attack surface mapping, and tactical lead generation. Sergio has over 11 years of experience in cybersecurity during which he has worked as a researcher and consultant to help companies improve their procedures, technologies, and techniques around threat intelligence and threat hunting.


Banksy Fox exploder1

Matt Evans

Independent Researcher

Matt Evans is an offensive security researcher. Matt served in selectively manned US Air Force teams, graduated from the NSA's Computer Network Operations Development Program (CNODP), and currently works for a Cyber Physical Systems protection company.


Subscribe to our PODCAST

Real talk on the threats, trends, and tactics shaping security today

Listen Anywhere