Undocumented Backdoor Grants Admin Access to Tenda Routers
A critical, unpatched authentication backdoor has been discovered in multiple **Tenda** router firmware versions. This vulnerability, tracked as **CVE-2026-11405**, allows attackers to bypass standard authentication and gain full administrative control over affected devices, posing a significant risk to network security.
A serious security flaw has been identified in various **Tenda** router firmware, creating a hidden authentication backdoor that could allow unauthorized administrative access. The **CERT Coordination Center (CERT/CC)** issued a bulletin detailing the issue, noting that **Tenda**, a Chinese networking equipment manufacturer, has not yet been reached for a fix.
### The Undocumented Backdoor
The vulnerability, designated **CVE-2026-11405**, stems from an undocumented authentication mechanism within the `login()` function of the `/bin/httpd` web server binary. When a user attempts to log in, the firmware first tries standard **MD5-based authentication**. If this fails, it retrieves an alternate password from the `sys.rzadmin.password` configuration value.
This alternate password is then directly compared to the plaintext password supplied by the remote user. If these match, the device grants administrator-level access (`role=2`) and establishes a valid session, regardless of the username provided. This means any username can be used as long as the backdoor password is correct.
**CERT/CC** emphasizes that this mechanism is completely undocumented and not visible in the administrative interface, leaving users unaware of its existence and the inherent risk.
### Consequences of Exploitation
Successful exploitation of **CVE-2026-11405** grants an attacker full administrative control over the device's web interface, bypassing any configured administrator credentials. As **CERT/CC** describes, "With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network."
### Affected Devices and Firmware
The following **Tenda** firmware versions and devices are confirmed to be impacted by this vulnerability:
* **US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD** β **Tenda FH1201** (WiFi router)
* **US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE** β **Tenda W15E** (WiFi router)
* **US_AC10V1.0re_V15.03.06.46_multi_TDE01** β **Tenda AC10** (WiFi router)
* **US_AC5V1.0RTL_V15.03.06.48_multi_TDE01** β **Tenda AC5** (WiFi router)
* **US_AC6V2.0RTL_V15.03.06.51_multi_T** β **Tenda AC6 V2** (WiFi router)
### Mitigation Recommendations
As no patch is currently available, **CERT/CC** advises **Tenda** users to take immediate action to protect their networks:
1. **Disable the remote web management panel:** This prevents internet access to the vulnerable interface.
2. **Restrict local network exposure:** Change the default LAN IP address to make it harder for automated scanners to discover the device.
**CVE-2026-11405** was reported by an anonymous researcher. While there is no evidence of active exploitation yet, such router flaws are frequently targeted by botnets like **Mirai**, making prompt mitigation crucial for all users of affected devices.