Skip to content

When the Password Check Fails, You're In: The Hidden Admin Backdoor in Tenda Router Firmware (CVE-2026-11405)

Auth Backdoor
CVSS Pending
Impact Full Admin Access
Patch None Available

When the Password Check Fails, You're In: The Hidden Admin Backdoor in Tenda Router Firmware (CVE-2026-11405)

Tenda Router Firmware CWE-912 Hidden Functionality Published 2026-07-06 (CERT/CC)

Vulnerability Overview

CVE-2026-11405 is an undocumented authentication backdoor in multiple versions of Tenda router firmware. According to the CERT/CC advisory (VU#213560), an attacker can abuse a hidden alternate authentication path to bypass password verification and obtain full administrative control of a device's web management interface without valid credentials. Tenda is a widely used supplier of home and small-business networking gear, so a credential-free admin takeover in its firmware is a serious problem, made worse by the fact that there is no vendor patch at the time of writing. The bug was published on July 6, 2026, and researchers have not confirmed any active exploitation or public proof-of-concept code so far.

Bottom Line

There is no fix to install. If you operate an affected Tenda model, you must apply workarounds now: disable remote (WAN-side) web management, keep the admin interface off the public internet, and restrict it to a trusted, segmented network.

CVE ID
CVE-2026-11405
CVSS Score
Pending
Weakness
CWE-912 / 288
Affected Product
Tenda Firmware
Affected Models
FH1201 / W15E / AC10 / AC5 / AC6v2
Attack Surface
Web Management Interface
Patch Status
No Vendor Patch
Exploit Status
None Known

Why This Matters

Consumer and small-business routers are among the most attacked devices on the internet. They are numerous, long-lived, rarely updated, and frequently exposed, which is precisely why router firmware is a favorite target for botnets that assemble compromised devices into infrastructure for DDoS, proxying, and further attacks. A hidden admin backdoor removes even the small friction of finding a bug to exploit: the alternate authentication path is baked into the firmware. Combined with the absence of a patch, that leaves affected owners dependent on configuration hardening rather than a clean fix, and it raises uncomfortable questions about how an undocumented credential path ended up in shipping firmware in the first place.

Technical Analysis

Per the CERT/CC analysis, the backdoor lives in the login() function of the device's /bin/httpd web server binary. The function starts down a normal authentication path that verifies the supplied password using MD5-based hashing. The problem is what happens on failure: instead of simply rejecting the login, the code activates an alternate path. It calls GetValue("sys.rzadmin.password") to pull a separate password value out of the device configuration, then performs a direct plaintext comparison between that configuration-stored value and the password the user submitted.

If those two values match, the application grants administrator-level access (role=2) and establishes a valid session with elevated privileges. In other words, anyone who can reach the web interface and knows or can obtain the sys.rzadmin.password value gets in as admin, entirely outside the normal credential system. This is a hidden-functionality flaw (CWE-912), functionally an authentication bypass through an alternate channel (CWE-288), and it is exactly the kind of secondary, undocumented login path that should never exist in a security boundary.

Affected Devices

CERT/CC lists the following firmware builds as affected:

ModelAffected Firmware Build
Tenda FH1201US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
Tenda W15EUS_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
Tenda AC10US_AC10V1.0re_V15.03.06.46_multi_TDE01
Tenda AC5US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
Tenda AC6 V2.0US_AC6V2.0RTL_V15.03.06.51_multi_T

Because backdoor logic like this often shares a common code lineage across a vendor's product line, treat other Tenda models and firmware builds with appropriate suspicion even if they are not explicitly listed, and watch the CERT/CC note for updates.

Exploitation & Patch Status

As of publication, there is no confirmed in-the-wild exploitation and no public proof-of-concept, and this CVE is not listed in the CISA KEV catalog. That is the good news. The bad news is that Tenda has not released a patch, so the window between now and any future weaponization has to be covered entirely by hardening. Given how quickly router backdoors historically get folded into automated scanning and botnet tooling once details are public, affected owners should act now rather than wait for a fix that may be slow to arrive, if it arrives at all for older models.

Mitigation & Workarounds

With no patch available, the CERT/CC advisory and standard router-hardening practice point to configuration-based defenses:

  1. Disable remote web management. Turn off WAN-side or internet-facing administration so the web interface cannot be reached from outside your network. This blocks the most dangerous, remote version of the attack.
  2. Change the default LAN IP address. Moving off the default management address reduces trivial discovery by automated scanners and opportunistic tooling on the local network.
  3. Restrict and segment access. Limit the management interface to a small set of trusted hosts, and isolate untrusted or guest devices from the network segment that can reach the router admin page.
  4. Monitor and plan replacement. Watch for unexpected administrator sessions or configuration changes, and for older or end-of-life models that may never receive a fix, plan migration to a supported device.

The Bigger Picture

CVE-2026-11405 is a reminder that the trust you place in a device is only as good as the code you cannot see. An undocumented, config-driven admin login sitting quietly inside a shipping web server binary is the worst kind of vulnerability to defend against, because there is nothing to misconfigure on the user's side and, right now, nothing to patch. For defenders the practical takeaways are the durable ones for consumer and edge networking gear: never expose device administration to the internet, segment the networks these devices sit on, prefer vendors with a real track record of timely firmware fixes, and retire hardware that has aged out of support. Backdoors do not need an exploit; they just need to be reachable.

References

Latest