Hidden backdoor in Tenda router firmware grants admin access

by · BleepingComputer

A hidden authentication backdoor has been found in multiple Tenda router firmware versions, potentially allowing an attacker to gain administrative access to the device's web management panel.

According to a security bulletin from the CERT Coordination Center, the issue remains unfixed because the Chinese maker of the networking equipment couldn't be reached.

CERT/CC says the issue, tracked as CVE-2026-11405, is caused by an undocumented authentication mechanism in the 'login()' function of the '/bin/httpd' web server binary.

If a user attempts to log in, the router firmware will perform standard MD5-based authentication. If that fails, it will retrieve an alternate password from the 'sys.rzadmin.password' configuration value and compare it directly to the plaintext password supplied by the remote user.

If the passwords match, the device grants administrator (role=2) access and creates a valid session, regardless of the username entered.

So any username will be accepted by the mechanism as long as the backdoor password is supplied.

CERT/CC says this mechanism isn't documented anywhere, or mentioned on the administrative interface, leaving users unaware of the risk.

"Successful exploitation grants full administrative access to the device's web interface, regardless of the configured administrator account credentials," describes CERT/CC.

"With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network."

CVE-2026-11405 impacts the following Tenda firmware versions and devices:

  • US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD – Tenda FH1201 (WiFi router)
  • US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE – Tenda W15E (WiFi router)
  • US_AC10V1.0re_V15.03.06.46_multi_TDE01 – Tenda AC10 (WiFi router)
  • US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 – Tenda AC5 (WiFi router)
  • US_AC6V2.0RTL_V15.03.06.51_multi_T – Tenda AC6 V2 (WiFi router)

CERT/CC reports that no patch is currently available, and Tenda users are advised to disable the remote web management panel to prevent internet access to the vulnerable interface.

Additionally, it is recommended to restrict local network exposure by changing the default LAN IP address to reduce opportunistic discovery by automated scanners.

CVE-2026-11405 was discovered and reported to CERT/CC by an anonymous researcher.

While no mention of active exploitation exists, the issue is very likely to be targeted by botnets focusing on router flaws in the coming period.

BleepingComputer has contacted Tenda for comment, and we will add their response if we receive one.

Test every layer before attackers do

Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.

The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection.

Get the whitepaper