CERT/CC has issued a security bulletin warning of an undocumented authentication backdoor embedded in firmware across at least five Tenda router models. The vulnerability, tracked as CVE-2026-11405, allows an attacker to bypass normal credential verification and obtain full administrative control of the device’s web management interface.

How the Backdoor Works

The flaw resides in the login() function within the /bin/httpd web server binary. During a login attempt, the firmware first performs standard MD5-based password authentication. If that check fails, the code retrieves an alternate password stored in the sys.rzadmin.password configuration value and compares it directly against the plaintext password provided by the user. A match at this stage grants administrator-level access (role=2) and creates a valid session, regardless of which username was supplied.

This secondary mechanism is not documented anywhere in the administrative interface or accompanying materials, leaving users with no indication the pathway exists.

Affected Firmware Versions

  • Tenda FH1201 – US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
  • Tenda W15E – US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
  • Tenda AC10 – US_AC10V1.0re_V15.03.06.46_multi_TDE01
  • Tenda AC5 – US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
  • Tenda AC6 V2 – US_AC6V2.0RTL_V15.03.06.51_multi_T

Impact and Risk

Successful exploitation grants an attacker complete administrative control over the device. From that position, an adversary can reconfigure routing and DNS settings, alter firewall rules, disable security features, and pivot into the broader local network. CERT/CC notes the issue is particularly concerning because no patch is available and Tenda has not responded to outreach attempts.

CVE-2026-11405 was reported to CERT/CC by an anonymous researcher. No evidence of active exploitation has been disclosed at this time, though router vulnerabilities of this nature are frequent targets for automated botnet campaigns.

Recommended Mitigations

  • Disable the remote web management panel to prevent exposure of the vulnerable interface to the internet.
  • Change the default LAN IP address to reduce the likelihood of discovery by opportunistic automated scanners on the local network.

Until Tenda releases a firmware update addressing CVE-2026-11405, users should treat these devices as unpatched and limit their management interface exposure accordingly.