Tenda Router Backdoor Grants Admin Access — No Patch Available
CERT/CC warns of CVE-2026-11405, an undocumented authentication backdoor in Tenda router firmware. The vendor remains unreachable with no fix in sight.
Multiple Tenda router models ship with a hidden authentication backdoor that lets anyone with network access gain full administrative control—and the vendor hasn't responded to disclosure attempts.
The CERT Coordination Center published Vulnerability Note VU#213560 on July 6, 2026, warning that the flaw, tracked as CVE-2026-11405, exists in the firmware's web server binary. An anonymous researcher discovered the issue and reported it through CERT/CC after failing to reach Tenda directly.
How the Backdoor Works
The vulnerability sits in the login() function of the /bin/httpd binary that handles web management authentication. When a standard login attempt fails—normally meaning the MD5-hashed password doesn't match—the firmware takes an alternate path.
Instead of rejecting the attempt, it calls GetValue("sys.rzadmin.password") to retrieve a secondary password stored in the device configuration. If the user-supplied password matches this hidden value in a direct strcmp() comparison, the router grants full administrative access with role=2 privileges.
The backdoor ignores usernames entirely. Any username paired with the secret password succeeds, bypassing whatever credentials the device owner configured.
"With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features," CERT/CC stated in the advisory, noting this could enable "broader compromise of the local network."
Affected Devices
Five firmware versions across popular Tenda models contain the backdoor:
- FH1201: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- W15E: US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
- AC10: US_AC10V1.0re_V15.03.06.46_multi_TDE01
- AC5: US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
- AC6 V2: US_AC6V2.0RTL_V15.03.06.51_multi_T
These models are common in home and small business environments, particularly in markets where budget-friendly networking gear dominates. The AC series routers sell well on Amazon and through regional distributors.
Intentional or Oversight?
The configuration key sys.rzadmin.password ships populated by default, which means Tenda built this authentication path into the firmware deliberately. Whether it was intended as a support backdoor, debug mechanism, or something else remains unclear—the vendor hasn't commented.
This pattern echoes similar discoveries in consumer networking equipment over the years. Router manufacturers have repeatedly shipped devices with hardcoded credentials or hidden admin accounts, sometimes for legitimate support purposes that became security liabilities once exposed.
The lack of username validation makes this backdoor particularly easy to exploit. Attackers don't need to guess or discover a specific admin account—any string works as long as they have the backdoor password. Authentication bypasses in network appliances have become a recurring theme this year, including the Citrix NetScaler memory overread that drew comparisons to CitrixBleed.
No Patch, No Response
CERT/CC explicitly noted in the advisory: "We have not received a statement from the vendor." Coordination attempts failed, leaving the vulnerability disclosed without any remediation from Tenda.
This puts affected device owners in an uncomfortable position. Without a firmware update, the backdoor will remain in the code indefinitely. The situation mirrors what we saw last week with the Cisco Catalyst Center path traversal issue, though Cisco at least acknowledged the report and provided patches.
Tenda has faced security criticism before. The company's products have accumulated dozens of CVEs over the past several years, ranging from command injection to authentication bypasses. Chinese network equipment vendors broadly have struggled with timely security response processes that meet Western disclosure expectations.
What You Can Do
Since no patch exists, CERT/CC recommends these mitigations:
-
Disable remote web management — This prevents attackers from reaching the login page over the internet. Most Tenda routers have this setting in the administration panel under remote management or WAN access options.
-
Change the default LAN IP address — Moving off 192.168.0.1 or 192.168.1.1 won't stop a determined attacker, but it reduces hits from automated scanners that target common default ranges.
-
Restrict local network access — If you can segment the network, limiting which devices can reach the router's management interface reduces exposure from compromised endpoints.
None of these fully eliminate the risk. The backdoor password likely exists in firmware binaries that researchers or attackers could extract through reverse engineering. Once that value becomes public, anyone with local network access could exploit it trivially.
Should You Replace the Router?
For home users, the risk depends on threat model. An attacker needs network access first—either through a compromised device on your LAN or by tricking you into visiting a malicious page that performs cross-site request attacks against your router. Most commodity malware doesn't target specific router models.
For businesses or anyone handling sensitive data, replacement makes sense. The combination of no vendor response, no patch timeline, and an intentionally planted backdoor password suggests the situation won't improve. Budget-tier networking gear comes with budget-tier security support.
If you're running one of the affected models in a production environment, consider migrating to vendors with established security response programs. The short-term cost of new hardware beats the long-term risk of running firmware with known, unpatched backdoors in your network infrastructure.
CERT/CC has not observed active exploitation of CVE-2026-11405 in the wild yet, but public disclosure typically accelerates that timeline. We saw exactly that pattern with the Oracle E-Business authentication bypass, which went from disclosure to active attacks within days.
Related Articles
Arista Refuses to Patch Exploited Flaw Added to CISA KEV
CVE-2026-7473 lets attackers bypass tunnel security controls on Arista network devices. CISA added it to KEV—but Arista says patching would 'break existing configurations.'
Jun 11, 2026Ubiquiti Patches Three CVSS 10.0 Flaws in UniFi OS
Ubiquiti releases emergency patches for three maximum-severity vulnerabilities in UniFi OS that allow unauthenticated remote attackers to take full control of network appliances. 100,000 devices exposed.
May 23, 2026Ubiquiti UniFi Flaw Scores CVSS 10—Patch Before Full Takeover
CVE-2026-22557 lets unauthenticated attackers traverse paths and hijack UniFi Network accounts. CVSS 10.0 severity demands immediate patching to 10.1.89.
Mar 27, 2026HPE AOS-CX Switches Vulnerable to Admin Password Reset (CVSS 9.8)
CVE-2026-23813 allows unauthenticated attackers to reset admin passwords on HPE Aruba AOS-CX switches. No exploitation seen yet, but patch immediately.
Mar 16, 2026