Tenda Router Backdoor Grants Attackers Full Admin Access Without Valid Credentials


A hidden authentication backdoor in several Tenda router firmware builds can let attackers bypass normal login checks and gain full administrator access to the device’s web management interface.

The vulnerability is tracked as CVE-2026-11405. The CERT Coordination Center advisory says the flaw exists in the /bin/httpd web server binary and affects specific firmware builds for Tenda FH1201, W15E, AC10, AC5, and AC6 devices.

The risk is serious because administrative access to a router can let an attacker change DNS settings, weaken security controls, redirect traffic, alter network configuration, or use the device as a stepping stone into the local network. The NVD record lists a CISA-ADP CVSS 3.1 score of 9.8 Critical, while NVD’s own enrichment has not yet been provided.

How the Tenda authentication backdoor works

The vulnerable code sits inside the login() function of /bin/httpd. Under normal conditions, the firmware checks the submitted password through an MD5-based verification path.

If that normal authentication fails, the function falls back to an undocumented mechanism. It reads an alternate password from the device configuration value sys.rzadmin.password and compares it directly with the password supplied by the person trying to log in.

The CVE record describes the issue as a hidden backdoor authentication mechanism that can grant access to the web management interface. If the fallback password matches, the firmware creates a valid session with role=2, which means administrator-level access.

ItemDetails
CVECVE-2026-11405
ProductTenda firmware for several router models
Vulnerable component/bin/httpd web server binary
Function involvedlogin()
Backdoor configuration keysys.rzadmin.password
Access gainedAdministrator role through a valid session
CISA-ADP CVSS 3.1 score9.8 Critical

Username checks do not protect affected devices

The most important technical detail is that the fallback path does not validate the username. Any username can work if the attacker supplies the backdoor password value expected by the firmware.

This means the normal administrator account password does not stop the attack. A device owner may have changed the admin password, but the hidden authentication path can still grant access if the web management interface is reachable.

The weakness aligns with CWE-912, which covers hidden functionality in software. In this case, the hidden behavior is not visible in the router’s normal administration interface, so users cannot easily see or disable it.

Affected Tenda firmware builds

CERT/CC has confirmed five affected firmware builds. Users should compare their installed firmware string carefully, because the advisory names specific builds rather than every router sold under those model names.

Router owners can check the firmware version through the local web management interface and then review available firmware packages through the Tenda download center. At the time of the advisory, CERT/CC said no patch was available.

The affected builds listed in the CERT/CC vulnerability note are:

Model or seriesConfirmed affected firmware build
Tenda FH1201US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
Tenda W15EUS_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
Tenda AC10US_AC10V1.0re_V15.03.06.46_multi_TDE01
Tenda AC5US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
Tenda AC6 V2US_AC6V2.0RTL_V15.03.06.51_multi_T

No patch was available at disclosure

CERT/CC said it could not reach Tenda to coordinate the vulnerability before publication. The advisory also says CERT/CC had not received a vendor statement.

That leaves users with mitigation steps rather than a confirmed firmware fix. The NVD entry for CVE-2026-11405 also lists the affected firmware versions and references the CERT/CC advisory, but notes that NVD assessment data has not yet been provided.

Users should keep checking the official Tenda firmware download page for updates. If no fixed firmware appears, replacing exposed or business-critical devices may become the safer long-term option.

Why router admin access matters

A router sits between users and the internet. If attackers gain administrator access, they can influence how devices on the network reach websites, services, and internal systems.

Attackers could change DNS servers to redirect users to malicious sites, open remote access paths, weaken firewall rules, or modify wireless settings. In a small business, a compromised router can also help attackers map internal devices and look for weaker systems.

The CVE entry frames the issue as administrative access to the web management interface, which is why the impact extends beyond a single setting or password. Full router control can affect the whole local network.

  • Attackers could change DNS or routing settings.
  • They could disable security features or weaken firewall rules.
  • They could alter Wi-Fi settings and expose the local network.
  • They could redirect users to malicious infrastructure.
  • They could use the router for persistence or further network attacks.

What Tenda users should do now

The first step is to check whether remote web management is enabled. If it is enabled, turn it off immediately unless there is a strict business requirement and compensating controls are in place.

Disabling remote management reduces the chance that attackers on the internet can reach the router’s web interface. It does not remove the backdoor from firmware, but it cuts off the most obvious remote attack path.

Users should also change the default LAN IP address to reduce opportunistic discovery by automated scans that target common local router addresses. This helps against broad scanning, but it does not stop a determined attacker who already has access to the local network.

  1. Log in to the router from the local network.
  2. Check the installed firmware version against the affected build list.
  3. Disable remote web management from the router settings.
  4. Change the default LAN IP address if the device allows it.
  5. Review DNS, port forwarding, remote access, and firewall settings for suspicious changes.
  6. Monitor the vendor’s firmware page for a fixed release.
  7. Replace the router if no patch appears and the device protects sensitive traffic.

How businesses should respond

Small businesses using affected Tenda devices should treat CVE-2026-11405 as an urgent exposure review, especially if router management is reachable from the internet or from guest Wi-Fi networks.

Security teams should scan their asset inventory for the listed models and firmware builds. They should also review logs, DNS settings, remote management settings, and any recent configuration changes on affected routers.

MITRE’s hidden functionality category is useful for risk framing because users cannot fix this through normal password hygiene. Changing the admin password is good practice, but it does not remove an undocumented authentication path in firmware.

Risk areaRecommended action
Internet-exposed management interfaceDisable remote web management immediately
Business-critical networkReplace affected devices if no fixed firmware is available
Guest Wi-FiSegment guest traffic away from router administration access
DNS integrityVerify DNS settings and monitor for unauthorized changes
Firmware managementTrack official updates and document device versions

Changing the password is not enough

Because the vulnerability sits in an undocumented fallback authentication path, changing the visible administrator password does not fully address the risk.

That makes exposure reduction the priority until patched firmware becomes available. Users should focus on limiting who can reach the web management interface and verifying that router settings have not been altered.

The main takeaway is simple: if an affected Tenda router is reachable by an attacker, the hidden authentication mechanism could allow administrative access without the owner’s configured credentials. Until Tenda releases a fix, users should disable remote management, limit local exposure, and consider replacing vulnerable hardware in sensitive environments.

FAQ

What is CVE-2026-11405?

CVE-2026-11405 is a hidden authentication backdoor in several Tenda router firmware builds. It can allow attackers to bypass normal password verification and gain administrator access to the web management interface.

Which Tenda firmware versions are affected?

CERT/CC lists five affected builds: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T.

Is there a patch for the Tenda router backdoor?

CERT/CC said no patch was available at the time of disclosure and that it had not received a vendor statement from Tenda. Users should monitor Tenda’s official firmware download page for updates.

Does changing the router admin password fix CVE-2026-11405?

No. Changing the visible administrator password does not remove the hidden fallback authentication path. Users should still use strong passwords, but the main mitigations are disabling remote web management, limiting local access, and applying fixed firmware if one becomes available.

What should I do if my Tenda router is affected?

Disable remote web management, change the default LAN IP address, review DNS and firewall settings for suspicious changes, check for firmware updates, and replace the device if no patch is available and the router protects sensitive traffic.

Readers help support VPNCentral. We may get a commission if you buy through our links. Tooltip Icon

Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more

User forum

0 messages