Hidden authentication backdoors have been found in a number of variations of Tenda router firmware that might permit an attacker to achieve administrative entry to the gadget’s internet admin panel.
Based on a safety bulletin from the CERT Coordination Middle, the problem stays unresolved because the Chinese language producer of the community gear couldn’t be reached.
Based on CERT/CC, this difficulty, tracked as CVE-2026-11405, is attributable to an undocumented authentication mechanism within the ‘login()’ perform of the online server binary ‘/bin/httpd’.
When a consumer makes an attempt to log in, the router’s firmware performs normal MD5-based authentication. If this fails, get hold of an alternate password from the “sys.rzadmin.password” configuration worth and examine it on to the plaintext password supplied by the distant consumer.
If the passwords match, the gadget grants administrator (function=2) entry and creates a sound session, whatever the username entered.
Subsequently, any username will probably be accepted by the mechanism so long as a backdoor password is supplied.
Based on CERT/CC, this mechanism is just not documented wherever or talked about within the administrative interface, leaving customers unaware of the dangers.
“Profitable exploitation might grant full administrative entry to the gadget’s internet interface, whatever the configured administrator account credentials,” CERT/CC explains.
“Administrative controls permit attackers to reconfigure units, change community settings, and disable security measures, permitting widespread compromise of native networks.”
CVE-2026-11405 impacts the next Tenda firmware variations and units:
- US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD – Tenda FH1201 (WiFi Router)
- US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE – Tenda W15E (WiFi router)
- US_AC10V1.0re_V15.03.06.46_multi_TDE01 – Tenda AC10 (WiFi Router)
- US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 – Tenda AC5 (WiFi Router)
- US_AC6V2.0RTL_V15.03.06.51_multi_T – Tenda AC6 V2 (WiFi Router)
CERT/CC stories that there are at present no patches accessible and Tenda customers are suggested to disable the distant internet administration panel to forestall web entry to the susceptible interface.
Moreover, we advocate altering the default LAN IP deal with to restrict native community publicity to cut back opportunistic detection by automated scanners.
CVE-2026-11405 was found by an nameless researcher and reported to CERT/CC.
Though there isn’t a point out of energetic exploitation, this difficulty may be very more likely to develop into a goal for botnets targeted on router flaws sooner or later.
BleepingComputer has reached out to Tenda for remark and can add any responses.

Safety groups doc 54% of profitable assaults and difficulty a warning on solely 14%. The remaining strikes invisibly via the atmosphere.
Picus’ whitepaper reveals learn how to take a look at your SIEM and EDR guidelines in breach and assault simulations to make sure threats go undetected.
Get the white paper
