CERT/CC Finds Hidden Admin Backdoor CVE-2026-11405 in Tenda Firmware

CERT/CC disclosed CVE-2026-11405, a hidden backdoor in Tenda router firmware granting unauthenticated full admin access. No vendor patch is available.
Table of Contents
    Add a header to begin generating the table of contents

    CERT/CC published an advisory on July 7 documenting a hidden authentication backdoor embedded in multiple Tenda router firmware versions that allows any attacker with access to the router’s web management interface to log in as an administrator without entering valid credentials. Tenda has not acknowledged the vulnerability and no vendor-supplied patch exists.

    CVE-2026-11405: The Undocumented Login Path Hidden in Tenda’s httpd Binary

    CVE-2026-11405 is not a logic flaw or misconfiguration — it is an undocumented alternate authentication pathway built directly into the router’s web server code. CERT/CC’s analysis identified the backdoor within the login() function of the /bin/httpd web server binary present in multiple Tenda firmware versions.

    The standard authentication path in these firmware versions uses MD5-based password verification. When that verification fails, however, a second code path activates rather than terminating the authentication attempt. This alternate path calls GetValue("sys.rzadmin.password") to retrieve a separate password value stored directly in the device configuration and compares the attacker’s input to that value in plaintext. The existence of this secondary credential mechanism is entirely undocumented in any Tenda product documentation or user-facing interface.

    The result is that every affected Tenda router has two administrative passwords: the one the user sets and knows, and a second one stored in the device configuration that the user cannot see, change, or remove through normal device management.

    The Firmware Versions CERT/CC Confirmed as Affected

    CERT/CC confirmed the backdoor in five distinct firmware versions spanning multiple Tenda product lines. The affected versions are: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T. These span the Tenda FH1201, W15E, AC10, AC5, and AC6 product lines — a range of consumer and small-business router hardware with broad deployment across home and small office networks.

    CERT/CC did not indicate that the vulnerability list is exhaustive. The backdoor’s presence in firmware code common to multiple product lines suggests additional Tenda models may be affected beyond those formally confirmed in the advisory.

    Why a Hardcoded Alternate Credential Is Worse Than a Default Password

    The class of vulnerability represented by CVE-2026-11405 is more severe than a default password left unchanged by a user. Default passwords are documented, user-visible, and can be changed. The rzadmin password stored in Tenda’s device configuration exists outside the user-accessible password management interface. Users who have changed their router’s administrative password, believing they have secured the device, remain fully vulnerable to anyone who discovers the backdoor credential.

    Because the alternate credential is stored in the device configuration rather than hardcoded to a fixed string, the specific password value may vary across devices or firmware builds. However, that variability does not eliminate the attack surface — once an attacker identifies the configuration key sys.rzadmin.password and the firmware structure, extraction of the credential from device firmware images or through configuration export becomes a practical attack step. Any threat actor who has catalogued the backdoor can build a systematic tool to exploit it at scale.

    The attack vector is the web management interface, which on many consumer routers is accessible from the local network by default. Networks where router management is exposed to the internet — either deliberately or through ISP default configurations — face external exploitation risk.

    No Patch Available and No Vendor Acknowledgment

    As of CERT/CC’s July 7 disclosure, Tenda has not publicly acknowledged CVE-2026-11405 and has not released a firmware update addressing the backdoor for any of the confirmed affected models. Owners of affected devices have no vendor-provided remediation path.

    CERT/CC’s advisory recommends several mitigations in the absence of a patch. Disabling remote access to the router’s web management interface removes the primary external attack vector. Placing the management interface behind a firewall or VPN restricts access to trusted network segments. For organizations where ongoing exposure is unacceptable and no patch materializes, replacing the affected firmware with open-source alternatives on supported hardware is listed as an option.

    The disclosure follows CERT/CC’s coordinated vulnerability disclosure process, which typically involves attempting vendor contact before publication. The absence of any Tenda acknowledgment or patch in the advisory suggests either vendor non-response or a response indicating no remediation would be provided in the timeframe. Tenda devices remain widely sold across retail channels in North America and Europe, making the lack of a vendor patch a persistent risk for the installed base.

    Related Posts