VYPR
vulnerabilityPublished Jul 7, 2026· 2 sources

Tenda Routers Hit by Critical Authentication Backdoor Vulnerability

Multiple Tenda router models are vulnerable to CVE-2026-11405, an authentication backdoor allowing full administrative access without valid credentials.

A critical authentication backdoor vulnerability, identified as CVE-2026-11405, has been discovered in numerous Tenda router models and their firmware versions, posing a significant risk to home and small business users. The flaw allows attackers to bypass standard authentication mechanisms and gain complete administrative control over affected devices.

The vulnerability resides within the web server binary, specifically in the login() function of the /bin/httpd component. While normal authentication involves MD5-based password verification, the flaw introduces an undocumented fallback mechanism. When authentication fails, the system retrieves a secondary password from the device configuration using GetValue("sys.rzadmin.password"). Crucially, this password is then compared directly in plaintext using strcmp(), rather than employing secure hashing or comparison methods.

Successful exploitation of this backdoor grants attackers administrative privileges by creating a valid session, even if the username provided is arbitrary. This means an attacker does not need to know a legitimate username; any username combined with the backdoor password is sufficient to gain full administrative access. The existence of this backdoor is not documented and cannot be discovered through the standard administrative interface, making it particularly insidious.

The affected Tenda router models include the FH1201, W15E, AC10, AC5, and AC6 series, impacting multiple firmware versions. These devices are commonly deployed in environments where network security is paramount, and unauthorized administrative access can have severe consequences.

With full administrative control, attackers can modify network configurations, redirect user traffic to malicious sites, disable security features, or even deploy malicious firmware onto the compromised routers. This level of access can facilitate sophisticated attacks such as man-in-the-middle interception, establishing persistent footholds within a network, and enabling lateral movement to other connected systems.

As of the disclosure on July 6, 2026, Tenda has not yet released any official patches or firmware updates to address CVE-2026-11405. Attempts to coordinate with the vendor for a fix were reportedly unsuccessful. In the absence of a patch, security experts strongly advise users to implement immediate mitigation strategies.

The primary recommendation is to disable the remote web management feature on affected Tenda routers. This prevents external attackers from accessing the device's web interface. Additionally, changing the default local IP address of the router might offer some protection against automated scanning, but it does not mitigate the risk from targeted attacks.

The discovery of such hidden backdoors raises significant concerns about the security practices employed during firmware development and the overall trustworthiness of the supply chain for network devices. Users and organizations relying on vulnerable Tenda hardware are urged to monitor for official updates and consider alternative solutions if a timely fix is not provided.

The CERT Coordination Center (CERT/CC) has now issued its own warning regarding the Tenda router backdoor, identified as CVE-2026-11405. This advisory highlights that the backdoor is an undocumented feature within the firmware, allowing attackers to bypass password authentication and gain administrative control over the affected devices' web management interfaces.

Synthesized by Vypr AI