Tenda Routers Exposed: Undocumented Backdoor Grants Admin Access
A critical backdoor vulnerability, tracked as **CVE-2026-11405**, has been discovered in several firmware versions of **Tenda** network devices. This flaw allows attackers to bypass authentication and gain full administrative control over affected routers, posing a significant security risk to users.

The **CERT Coordination Center (CERT/CC)** issued a warning regarding an undocumented authentication backdoor found in various firmware releases by Chinese network device manufacturer **Tenda**. This backdoor enables administrative access to the devices' web management interfaces without valid credentials.
### The Vulnerability: CVE-2026-11405
According to the **CERT/CC**, the vulnerability, identified as **CVE-2026-11405**, allows attackers to bypass the standard password verification process. This grants them full administrative control over the affected **Tenda** devices.
The following firmware versions are known to be impacted:
* US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
* US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
* US_AC10V1.0re_V15.03.06.46_multi_TDE01
* US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
* US_AC6V2.0RTL_V15.03.06.51_multi_T
### How the Backdoor Functions
The backdoor resides within the `login()` function of the `/bin/httpd` web server binary. While the initial authentication path uses **MD5**-based password verification, a critical alternate code path is activated upon authentication failure.
This alternate path calls `GetValue("sys.rzadmin.password")` to retrieve a secondary password from the device's configuration. A direct plaintext comparison is then performed between the user-supplied password and this configuration-stored value. If these values match, the application grants admin-level access (role=2) and creates a valid session with elevated privileges.
Crucially, the associated `rzadmin` username is not validated. This means any provided username will succeed if paired with the backdoor password. The **CERT/CC** emphasizes that this backdoor authentication mechanism is neither documented nor visible through any administrative interface.
### Potential Impact and Mitigation
Successful exploitation of this flaw can lead to a complete device takeover. Attackers can remotely modify settings, disable security features, or reconfigure the device without authorization. As of this writing, the vulnerability, reported by an anonymous researcher, remains unpatched.
Users of affected **Tenda** devices are strongly advised to:
* Disable remote management on the device.
* Change the default **LAN** IP address to prevent opportunistic discovery by automated scanners targeting known default IP ranges.
Ghost Protocol has reached out to **Tenda** for comment and will update this story with any new information.