Sleek white wireless router with four antennas emitting soft blue and pink light.
News

CVE-2026-11405: The Hidden Admin Backdoor in Tenda Router Firmware That Nobody Patched

CVE-2026-11405 is an undocumented admin backdoor in Tenda router firmware. No patch exists. How the bypass works and what security teams must do now.
Sami Malik
Copywriter

If you manage a Tenda router running one of five affected firmware versions and remote management is enabled, there is a second password on the device that you did not set, cannot see in the admin interface, and cannot remove. An attacker who knows it can log in as administrator with any username they like. No exploit required. No brute force. Just the right string against the right endpoint, and they have full control.

That is the finding at the centre of CERT/CC's advisory published on 7 July 2026, describing CVE-2026-11405, an undocumented authentication backdoor in multiple versions of Tenda router firmware. The vulnerability was reported by an anonymous researcher. Tenda had not issued a patch as of the time of writing, and the company had not responded to requests for comment from The Hacker News.

How the Backdoor Works

The mechanism sits inside the login() function of the /bin/httpd binary, the web server process that handles the router's management interface. When a user attempts to authenticate, the code follows what looks like a standard path: it takes the supplied password, hashes it with MD5, and compares the result against the stored administrator password. That is the visible, documented authentication flow.

The problem is what happens when that comparison fails. Rather than rejecting the login, the code executes an alternate branch. It calls GetValue("sys.rzadmin.password"), a function that retrieves a separate password value stored in the device's configuration. It then performs a direct plaintext comparison between the user-supplied password and whatever that configuration value holds. If they match, the code sets role=2, the administrator role, and creates a valid elevated session. Access granted.

The username supplied at login is irrelevant. CERT/CC's advisory is explicit on this: "The associated ['rzadmin'] username is not validated, so any provided username will succeed when paired with the backdoor password." An attacker can log in as "admin", as "guest", as a blank string, as anything at all, as long as they pair it with the correct backdoor password value. The only check that matters is the one comparing against the hidden configuration entry.

The backdoor is, by design, invisible. "This backdoor authentication mechanism is not documented or visible through any administrative interface," CERT/CC confirmed. A network administrator who reviews the router's user management page, checks the running configuration, or reads the firmware manual will find no trace of the alternate authentication path. It is not a default credential that was left unchanged. It is an entirely separate code path that only activates when the normal authentication fails.

Which Firmware Versions Are Affected

Five specific firmware versions are named in the advisory. The affected builds cover multiple Tenda router product lines: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T. The FH1201, W15E, AC10, AC5, and AC6 are widely deployed consumer and small-business routers sold in multiple markets.

Because no patch existed at the time of disclosure, the CERT/CC advisory falls into a category that complicates the standard vulnerability response: a known, actively disclosed authentication bypass with no vendor fix available. The researcher submitted the finding anonymously, which means there is no coordinated disclosure timeline to refer to and no confirmation that Tenda received advance notice before the advisory went public.

The practical reality for any organisation or individual running one of the affected models is that the device's web management interface cannot be secured against this attack through any configuration change alone. The backdoor is in the firmware itself. Patching the binary would require a firmware update that does not yet exist.

What an Attacker Can Do With Admin Access

Full administrative access to a router's web interface is a significant position. At a minimum, it means the attacker can read the complete device configuration, which typically includes the credentials for any upstream connections such as PPPoE or VPN tunnels, the Wi-Fi passphrase for every wireless network the device hosts, and the credentials for any services the device is configured to reach. On many SOHO router models, the admin interface also exposes the DNS server settings, which an attacker can redirect to a resolver they control to intercept all DNS queries from connected devices without modifying anything on those devices themselves.

Beyond reading configuration, an administrator can reconfigure port-forwarding rules to expose internal services to the internet, downgrade the firmware to a version with additional known vulnerabilities, disable firewall rules, and in some cases execute operating-system-level commands through the management interface's diagnostic tools. On the AC10 and AC6 models in particular, previous research has documented command injection vulnerabilities accessible through the web interface. An attacker who holds admin access and finds such a vector can move from web interface control to full shell access on the device.

For organisations with Tenda routers on the network perimeter or in branch offices, the position is one from which an attacker could monitor all unencrypted traffic passing through the device, redirect or intercept DNS for all connected clients, create a persistent entry point that survives the standard response of resetting end-user devices, and establish a stable outbound tunnel that bypasses network monitoring focused on endpoint behaviour.

Why Hidden Backdoors in Router Firmware Are a Persistent Problem

CVE-2026-11405 is not the first undocumented authentication bypass to appear in Tenda firmware, and Tenda is not the only router vendor with this history. The broader pattern, where a secondary authentication path exists in the firmware of a shipping product and survives for an extended period before a researcher identifies it, has appeared across multiple vendors including D-Link, Netgear, and TP-Link over the past decade.

Several distinct mechanisms produce these backdoors. Some are intentional service paths implemented for factory testing or remote support and never removed before production release. Some are the result of weak randomisation: a supposedly random "rzadmin" password that is derived from a device identifier in a predictable way across all units of the same model. Some are introduced through the supply chain, where firmware is built on a base provided by an ODM manufacturer and the integrating brand does not audit the complete authentication flow before shipping.

In the Tenda case, the specific form of the backdoor, a separate configuration-stored password retrieved only on failed normal authentication, with a non-validated username, suggests a deliberate service path rather than an accidental coding error. A random collision between a test password and a production code path does not produce that structure. Whether it was introduced intentionally, as a maintenance aid, or as part of a supply chain compromise is unknown, because Tenda has not commented on the finding.

Mitigations While No Patch Exists

CERT/CC's recommended mitigations address the attack surface without fixing the underlying code. The first is to disable remote management on the device. Most consumer and small-business Tenda routers have remote management disabled by default; it is typically an optional feature that allows the web interface to be reached from the WAN side of the connection. If remote management is not enabled, an attacker cannot reach the login endpoint from outside the local network. This is the highest-priority mitigation and the one that applies most broadly.

The second mitigation is to change the device's default LAN IP address. Many router security scanners and automated attack tools that probe for known-bad firmware target default IP ranges. Changing from the factory default reduces opportunistic discovery but does not prevent a targeted attacker who already knows the device is on the network from finding the management interface.

Neither mitigation addresses the backdoor itself. An attacker who has already gained access to the local network through a different vector, a compromised endpoint, a weak Wi-Fi password, or a phishing-delivered implant, can still reach the router's web interface from inside the network regardless of whether remote management is enabled. The management interface on LAN-side ports is typically always accessible. Against that threat model, the only complete fix is a firmware update that removes or properly gates the alternate authentication path, and that update does not yet exist.

What Security Teams Should Do

The immediate response for any security team with Tenda devices on managed networks is to build an inventory of affected firmware versions. The five version strings in the CERT/CC advisory are specific enough to match against a device management platform or a network discovery scan. Any device running one of the listed versions and with remote management enabled should have remote management disabled immediately. Any device with remote management already disabled should be noted for firmware tracking, so that when a patch does arrive, it can be deployed promptly.

For environments where Tenda routers are deployed at branch offices, retail locations, or remote sites where a network administrator cannot physically attend quickly, a central management or remote configuration capability is often the reason remote management is enabled in the first place. In those cases, disabling remote management removes the attack vector but creates an operational problem. One interim approach is to restrict remote management to a specific IP range or VPN address rather than leaving it open to all inbound connections, if the device's firmware supports that granularity of access control.

The broader question for procurement teams is whether consumer-grade or small-business routers from vendors with a documented history of firmware backdoors should be used in any network-connected role where they represent a trust boundary. The Tenda CVE-2026-11405 finding is the most recent in a catalogue of similar discoveries. Organisations that have standardised on enterprise-grade network equipment with an active firmware update programme and a tracked security disclosure history have a meaningfully different risk profile for this class of vulnerability than those that have deployed consumer hardware to reduce equipment costs.

The Responsible Disclosure Problem When No Patch Exists

The standard coordinated disclosure model assumes a vendor will issue a patch before public disclosure, or at least within a defined window after private notification. CVE-2026-11405 does not fit that model. Tenda has not patched the vulnerability and, as of CERT/CC's publication, had not responded to the advisory process. The result is a disclosed, publicly known backdoor with no vendor-supplied fix and no clear timeline for one.

This situation puts the burden of risk management entirely on the organisations and individuals who own the affected devices. There is no "wait for the patch and then apply it" path here. The mitigations CERT/CC describes, disabling remote management and changing the default LAN IP, reduce the attack surface but do not remove the vulnerability. A device that is accessible only from the local network is still exploitable by any attacker who has gained local network access through another means.

The anonymous researcher who submitted the finding chose not to publish technical exploitation details alongside the CERT/CC advisory, which limits the immediate risk from opportunistic attackers who depend on published proof-of-concept code. That is a responsible choice. But it also means that without a patch and without a public exploit, the incentive for Tenda to act quickly is reduced. The history of small consumer router manufacturers responding to disclosed vulnerabilities suggests that firmware updates for affected products may arrive on timescales measured in months rather than weeks, if they arrive at all for older models.

Network Segmentation as a Long-Term Mitigation

For organisations that cannot replace affected Tenda routers immediately, network segmentation offers a structural mitigation that is more durable than configuration changes on the device itself. If the router sits behind a firewall or is separated from sensitive systems by a network boundary that controls which devices can reach the router's management interface, the exposure from an internal attacker who gains LAN access is limited to the segment where the router resides.

Small and medium businesses that run Tenda routers in branch offices alongside servers, workstations, and point-of-sale systems on a flat network have the highest exposure. An attacker who compromises any device on that flat network can reach the router's management interface at its LAN IP and exploit CVE-2026-11405 without traversing any additional security control. Segmenting the network so that the router's management plane is accessible only from a dedicated management VLAN or from a specific trusted IP reduces the blast radius of an endpoint compromise significantly.

The longer-term lesson from CVE-2026-11405 is about procurement policy. Consumer and small-business router manufacturers operate with thin margins and limited security engineering resources. The firmware development process at companies like Tenda does not typically include formal security code review, and the disclosure response process, as illustrated by the absence of any Tenda response in this case, is often effectively non-existent. Organisations that manage networks for multiple sites or that have security obligations stemming from industry regulation should evaluate whether consumer-grade network hardware is appropriate for their risk profile, regardless of its cost advantage.

How Attackers Find and Exploit Exposed Router Management Interfaces

Router management interfaces exposed to the internet are a consistent target for mass scanning tools. Automated scanners maintained by threat actors cycle through IP ranges looking for open ports associated with web-based management, typically TCP port 80 and 443, but also the non-standard ports that some router models use to separate management traffic from user traffic. Once a scanner identifies a responsive Tenda interface, automated scripts can test known default credentials, attempt known exploit paths, and in the case of CVE-2026-11405, test whether a backdoor password drawn from previously disclosed Tenda backdoor research unlocks the device.

The wider body of Tenda firmware research is relevant here. Security researchers have documented multiple previous Tenda vulnerabilities involving hardcoded credentials, authentication bypasses, and command injection flaws. Some of these earlier vulnerabilities have had their backdoor passwords publicly documented in security papers and in the databases maintained by exploit repositories. An attacker targeting CVE-2026-11405 has a body of prior art to work with when attempting to identify the value stored in the sys.rzadmin.password configuration entry, since the mechanisms used in previous Tenda backdoors sometimes shared values across firmware generations.

Shodan and Censys, the internet-scanning services used by both security researchers and threat actors to map the global attack surface, return results for Tenda router management interfaces accessible from the public internet. These searches can be run without credentials and produce a list of IP addresses, geographic locations, and firmware version fingerprints for exposed devices. An attacker who wants to target CVE-2026-11405 at scale can use these services to generate a target list in minutes. The anonymous nature of the vulnerability disclosure means there is no coordinated effort between the researcher and a cleanup process for affected devices: no ISP notifications, no takedown, no automated vulnerability scanning alerts sent to device owners.

Firmware Analysis and What Researchers Can Determine Without a Patch

Security researchers with access to the affected firmware images can perform static analysis on the /bin/httpd binary to extract the value stored in the sys.rzadmin.password configuration entry, or to understand the algorithm by which it is derived. If the backdoor password is a static value consistent across all devices of a given model, it will eventually appear in public documentation, making the vulnerability trivially exploitable for anyone who reads the relevant research. If the password is derived from a device-specific identifier such as a serial number or MAC address, the calculation will be reverse-engineered and published, making it exploitable for any attacker who can observe or obtain that identifier.

This analysis work happens regardless of whether Tenda issues a patch. The timeline for public disclosure of the actual backdoor credential value is typically shorter than the timeline for a firmware fix. Device owners who are waiting for a patch before acting are operating under a false assumption: the risk does not remain at its current level while they wait. It increases as more researchers publish their findings about the specific mechanism of CVE-2026-11405.

The appropriate response to this dynamic is to treat the mitigation steps CERT/CC has published as mandatory and immediate rather than temporary and optional. Disabling remote management removes the externally accessible attack surface. Changing the LAN IP reduces the automatic discoverability of the management interface on the local network. Neither of these mitigations depends on a firmware update, and both remain effective regardless of how the backdoor credential mechanism is eventually documented.

What a Complete Recovery Looks Like

For any organisation that identifies a Tenda device matching the affected firmware versions with remote management enabled, and that cannot immediately determine whether the device has already been accessed via the backdoor, the recovery process extends beyond simply disabling remote management. A factory reset of the device clears any configuration changes an attacker may have made, including any port-forwarding rules or DNS changes that may have been applied during undetected access. After a factory reset, the device should be reconfigured from scratch rather than restored from a backup that might preserve attacker-made changes.

If the device has been exposed to the internet with remote management enabled for an extended period, the network segment it serves should be reviewed for indicators that suggest traffic has been redirected or intercepted. Unexpected DNS query failures, certificate errors on sites where no recent infrastructure change occurred, or users reporting being redirected to unexpected pages are all potential indicators of a compromised router that was redirecting DNS traffic. These effects do not automatically clear when the router is factory-reset or replaced; DNS poisoning on client devices that cached entries served by a compromised resolver can persist until those cache entries expire or the clients are restarted.

How Defendis Can Help

Unpatched routers, exposed privileged access management portals, and web application servers running outdated software all represent footprints your organisation may not know it has. Defendis continuously monitors the attack surface visible from the outside: exposed services, leaked credentials, and chatter in underground markets where initial access to specific organisations is traded. When a new critical vulnerability lands against software your organisation runs, or when credentials from your domain appear in a stealer log, your team gets the signal before an attacker acts on it. See how early exposure detection changes incident outcomes, or request a tailored briefing for your organisation.

About the author
Sami Malik is a copywriter passionate about crafting clear, engaging, and impactful content that helps brands connect with their audience through storytelling and strategy.

Related Articles

Discover simplified
Cyber Risk Management
Learn how to prevent cyberattacks proactively with a free trial of Defendis.