CERT/CC published VU#213560 on July 6, disclosing CVE-2026-11405, an undocumented authentication backdoor baked into the web-management binary of multiple Tenda router firmware builds. The mechanism accepts any username and a secondary, device-stored password value instead of the real admin credential, handing out full administrative sessions to anyone who reaches the login page. No patch exists. CERT/CC first notified Tenda on May 19 and received no response before the public disclosure window closed.
What happened
The backdoor lives in the login() function of /bin/httpd, the web server binary that serves Tenda’s router admin panel. Normal authentication does an MD5 comparison against the configured admin password. If that check fails, the function doesn’t stop there — it falls through to a second path that calls GetValue("sys.rzadmin.password") to pull an alternate password value out of the device’s own configuration store, then does a plaintext string comparison between whatever the client submitted and that stored value.
If the two match, the request is granted role=2 (administrator) and a fully valid session is issued — no ties to the real admin password, no logging distinct from a normal login, and critically, any username is accepted as long as the backdoor password is supplied. This isn’t a logic bug that emerged from a refactor; it’s a second, parallel authentication path that was clearly built in deliberately and never documented.
Because the check happens inside the same request/response cycle as normal login, exploitation is a single unauthenticated HTTP POST to the login endpoint — no session state, no CSRF token, no multi-step chain.
Affected versions
CERT/CC and Tenda’s own firmware listings confirm the backdoor in at least five builds across four device lines:
- Tenda FH1201 —
US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD - Tenda W15E —
US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE - Tenda AC10 —
US_AC10V1.0re_V15.03.06.46_multi_TDE01 - Tenda AC5 —
US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 - Tenda AC6 V2 —
US_AC6V2.0RTL_V15.03.06.51_multi_T
Given the shared /bin/httpd codebase across Tenda’s consumer and SMB router lines, researchers assess the actual affected population is likely broader than the confirmed list — firmware sharing across product families is common for this vendor and hasn’t been fully audited.
Impact
Full administrative access to a home or small-office router means an attacker can rewrite DNS to redirect traffic, enable remote management to maintain persistent access, pivot into the internal LAN, harvest credentials passing through the device, or fold the router into a botnet. Tenda devices are inexpensive and widely deployed in residential and small-business settings globally, which is exactly the population least likely to be running current firmware or monitoring device logs.
CVE-2026-11405 is not yet in the CISA KEV catalog, but multiple independent researchers report in-the-wild scanning consistent with a public Nmap NSE detection script, meaning opportunistic mass exploitation is already underway rather than theoretical. The vulnerability requires network access to the router’s management interface — the practical risk hinges entirely on whether that interface is exposed.
Mitigation
There is no vendor patch as of this writing, and Tenda has been unresponsive to CERT/CC’s coordination attempts since May. Until that changes:
- Disable remote/WAN web management on every affected device — this is the single highest-leverage step, since it removes internet-facing exposure to the backdoor entirely.
- Restrict management access to LAN only, and change the router’s default LAN IP range to reduce discovery by automated scanners that assume default subnets.
- Scan your environment for the affected firmware strings above; if you manage fleets of consumer/SMB network gear, treat unmanaged Tenda deployments as an asset-inventory gap to close.
- Replace end-of-support or unresponsive-vendor hardware where feasible — a backdoor with no coordinated fix and no vendor engagement is a strong signal the device shouldn’t stay on a network you care about.
- Monitor for anomalous admin logins and unexpected configuration changes (DNS settings, port forwarding rules, new admin accounts) on any Tenda device that has ever had WAN-facing management enabled.
References
- CERT/CC — VU#213560: Tenda firmware (multiple versions) contains hidden authentication backdoor
- The Hacker News — CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware
- BleepingComputer — Hidden backdoor in Tenda router firmware grants admin access
- Security Affairs — Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available