Tenda Firmware Backdoor CVE-2026-11405 Grants Unauthenticated Admin Access
A critical backdoor vulnerability, CVE-2026-11405, in Tenda firmware allows unauthenticated attackers to gain administrative access to devices via their web interface.

A significant security vulnerability, identified as CVE-2026-11405, has been discovered in the firmware of various Tenda networking devices, including routers and switches. This backdoor flaw allows unauthenticated attackers to bypass login mechanisms and gain full administrative control over affected devices through their web management interface.
The vulnerability resides within the login function of the web server binary. According to the CERT Coordination Center (CERT/CC), the issue arises because the login mechanism, upon a failed authentication attempt, attempts to retrieve a password directly from the device's configuration. Crucially, it then compares the user-supplied password against this stored value in plaintext, without validating the provided username. This means any username paired with the specific backdoor password will grant administrative privileges.
This backdoor mechanism is undocumented and not visible through any administrative interface, making it a hidden threat. Successful exploitation grants attackers the ability to modify device configurations, alter network settings, and disable critical security features. This level of control can pave the way for broader network compromise and further malicious activities within a compromised network.
CERT/CC has reported that they were unable to coordinate with Tenda to address this vulnerability, and as of the disclosure, no patch has been released by the vendor. This leaves users of Tenda devices exposed to potential attacks.
To mitigate the immediate risk, users are strongly advised to disable remote web management features on their Tenda devices. This prevents unauthorized external access to the vulnerable web interface. Additionally, changing the default LAN IP address can help reduce the likelihood of discovery by automated scanning tools.
In a separate advisory, CERT/CC also highlighted a missing authorization vulnerability (CVE-2026-13753) in HP Deskjet 2800 series printers. This flaw, also unpatched, allows unauthenticated attackers to access sensitive configuration data, including Wi-Fi credentials and administrative passwords, by sending crafted GET requests to specific API endpoints.
The lack of vendor response for CVE-2026-11405 underscores the importance of proactive security measures for Internet of Things (IoT) and network infrastructure devices. Users should remain vigilant and regularly check for firmware updates or security advisories from manufacturers.
This discovery serves as a stark reminder of the persistent security challenges in the embedded device market, where vulnerabilities can remain unaddressed for extended periods, posing a significant risk to both individual users and larger networks.