PROBABLYPWNED
VulnerabilitiesJuly 7, 20265 min read

Tenda Router Backdoor Grants Admin Access — No Patch Available

CERT/CC warns of CVE-2026-11405, an undocumented authentication backdoor in Tenda router firmware. The vendor remains unreachable with no fix in sight.

Marcus Chen

Multiple Tenda router models ship with a hidden authentication backdoor that lets anyone with network access gain full administrative control—and the vendor hasn't responded to disclosure attempts.

The CERT Coordination Center published Vulnerability Note VU#213560 on July 6, 2026, warning that the flaw, tracked as CVE-2026-11405, exists in the firmware's web server binary. An anonymous researcher discovered the issue and reported it through CERT/CC after failing to reach Tenda directly.

How the Backdoor Works

The vulnerability sits in the login() function of the /bin/httpd binary that handles web management authentication. When a standard login attempt fails—normally meaning the MD5-hashed password doesn't match—the firmware takes an alternate path.

Instead of rejecting the attempt, it calls GetValue("sys.rzadmin.password") to retrieve a secondary password stored in the device configuration. If the user-supplied password matches this hidden value in a direct strcmp() comparison, the router grants full administrative access with role=2 privileges.

The backdoor ignores usernames entirely. Any username paired with the secret password succeeds, bypassing whatever credentials the device owner configured.

"With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features," CERT/CC stated in the advisory, noting this could enable "broader compromise of the local network."

Affected Devices

Five firmware versions across popular Tenda models contain the backdoor:

  • FH1201: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
  • W15E: US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
  • AC10: US_AC10V1.0re_V15.03.06.46_multi_TDE01
  • AC5: US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
  • AC6 V2: US_AC6V2.0RTL_V15.03.06.51_multi_T

These models are common in home and small business environments, particularly in markets where budget-friendly networking gear dominates. The AC series routers sell well on Amazon and through regional distributors.

Intentional or Oversight?

The configuration key sys.rzadmin.password ships populated by default, which means Tenda built this authentication path into the firmware deliberately. Whether it was intended as a support backdoor, debug mechanism, or something else remains unclear—the vendor hasn't commented.

This pattern echoes similar discoveries in consumer networking equipment over the years. Router manufacturers have repeatedly shipped devices with hardcoded credentials or hidden admin accounts, sometimes for legitimate support purposes that became security liabilities once exposed.

The lack of username validation makes this backdoor particularly easy to exploit. Attackers don't need to guess or discover a specific admin account—any string works as long as they have the backdoor password. Authentication bypasses in network appliances have become a recurring theme this year, including the Citrix NetScaler memory overread that drew comparisons to CitrixBleed.

No Patch, No Response

CERT/CC explicitly noted in the advisory: "We have not received a statement from the vendor." Coordination attempts failed, leaving the vulnerability disclosed without any remediation from Tenda.

This puts affected device owners in an uncomfortable position. Without a firmware update, the backdoor will remain in the code indefinitely. The situation mirrors what we saw last week with the Cisco Catalyst Center path traversal issue, though Cisco at least acknowledged the report and provided patches.

Tenda has faced security criticism before. The company's products have accumulated dozens of CVEs over the past several years, ranging from command injection to authentication bypasses. Chinese network equipment vendors broadly have struggled with timely security response processes that meet Western disclosure expectations.

What You Can Do

Since no patch exists, CERT/CC recommends these mitigations:

  1. Disable remote web management — This prevents attackers from reaching the login page over the internet. Most Tenda routers have this setting in the administration panel under remote management or WAN access options.

  2. Change the default LAN IP address — Moving off 192.168.0.1 or 192.168.1.1 won't stop a determined attacker, but it reduces hits from automated scanners that target common default ranges.

  3. Restrict local network access — If you can segment the network, limiting which devices can reach the router's management interface reduces exposure from compromised endpoints.

None of these fully eliminate the risk. The backdoor password likely exists in firmware binaries that researchers or attackers could extract through reverse engineering. Once that value becomes public, anyone with local network access could exploit it trivially.

Should You Replace the Router?

For home users, the risk depends on threat model. An attacker needs network access first—either through a compromised device on your LAN or by tricking you into visiting a malicious page that performs cross-site request attacks against your router. Most commodity malware doesn't target specific router models.

For businesses or anyone handling sensitive data, replacement makes sense. The combination of no vendor response, no patch timeline, and an intentionally planted backdoor password suggests the situation won't improve. Budget-tier networking gear comes with budget-tier security support.

If you're running one of the affected models in a production environment, consider migrating to vendors with established security response programs. The short-term cost of new hardware beats the long-term risk of running firmware with known, unpatched backdoors in your network infrastructure.

CERT/CC has not observed active exploitation of CVE-2026-11405 in the wild yet, but public disclosure typically accelerates that timeline. We saw exactly that pattern with the Oracle E-Business authentication bypass, which went from disclosure to active attacks within days.

Related Articles