Tenda firmware CVE-2026-11405 hidden authentication backdoor
Summary
Several Tenda router firmware builds contain an undocumented authentication backdoor in the web-management interface. CERT/CC published VU#213560 on July 6, 2026 and tracks the issue as CVE-2026-11405. If an attacker can reach the device's web UI, a special configuration-stored password path can bypass the normal administrator password check and grant admin-level access with any username.
No vendor patch was available at publication time; CERT/CC reported that it was unable to coordinate a fix with Tenda. Defenders should prioritize exposure reduction for affected models and treat remotely managed or internet-reachable devices as high-risk.
Tags
- ops
- vulnerability
- router
- SOHO router
- Tenda
- CVE-2026-11405
- VU#213560
- authentication bypass
- hidden backdoor
- web management interface
- edge device
- CERT/CC
Affected firmware builds
CERT/CC listed the following affected firmware versions:
| Device / firmware family | Affected firmware string |
|---|---|
| FH1201 | US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD |
| W15E | US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE |
| AC10 | US_AC10V1.0re_V15.03.06.46_multi_TDE01 |
| AC5 | US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 |
| AC6 | US_AC6V2.0RTL_V15.03.06.51_multi_T |
Public vulnerability detail
CERT/CC describes the vulnerable logic in /bin/httpd inside the login() function:
- The web server first attempts the normal MD5-based administrator password verification path.
- If that normal authentication path fails, the code calls
GetValue("sys.rzadmin.password")to retrieve an alternate password value from device configuration. - The user-supplied password is compared directly against that stored alternate value with
strcmp(). - If the comparison succeeds, the device creates a valid session with
role=2administrator privileges. - The username is not validated, so any username can work when paired with the alternate password.
The alternate authentication path is undocumented and not exposed through the administrative UI.
Defender notes
- Disable remote web management on affected Tenda devices immediately where possible.
- Place device administration interfaces behind trusted management networks, VPN, or allow-listed administrative hosts; do not expose the web UI directly to the internet.
- Inventory Tenda FH1201, W15E, AC10, AC5, and AC6 deployments and collect firmware-version evidence before replacement or reconfiguration where incident response may be required.
- If remote management was enabled, review configuration changes, DNS/DHCP settings, port forwards, VPN settings, firewall rules, and any unexpected administrator sessions.
- Assume password changes alone are insufficient while the hidden alternate-password code path remains present.
- Replace or isolate affected devices if no fixed firmware is available for the exact model and build.
- Monitor for scans or login attempts against Tenda web-management paths from untrusted networks.
Why this matters
- SOHO and small-business routers are routinely folded into proxy, credential-theft, DDoS, and reconnaissance infrastructure.
- An authentication backdoor in the management UI can give an attacker durable control over DNS, routing, firewall, Wi-Fi, NAT, and remote-management configuration.
- Unpatched edge devices often sit outside centralized EDR and patch-management programs, making exposure reduction and asset inventory the primary defenses.
Related pages
- AryStinger legacy-router recon proxy network
- JDY SOHO / IoT reconnaissance botnet
- xlabs_v1 DDoS-for-hire IoT botnet
Sources
- CERT/CC VU#213560: https://kb.cert.org/vuls/id/213560
- CVE record: https://www.cve.org/CVERecord?id=CVE-2026-11405
- The Hacker News: https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html