Multiple Tenda router models contain a hidden flaw. Researchers track this Tenda authentication backdoor as CVE-2026-11405, which grants attackers full administrative access. Currently, researchers have not confirmed any active exploitation or public proof-of-concept code.
- CVE: CVE-2026-11405
- CVSS: Awaiting analysis
- Product: Tenda firmware
- Affected: US_AC6V2.0RTL_V15.03.06.51_multi_T, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- Impact: Hidden backdoor authentication mechanism in multiple versions of Tenda firmware allows admin access to web management interface
- Status: No confirmed exploitation yet
- Action: Apply workarounds immediately!
TL;DR
Several Tenda firmware versions hide an undocumented authentication backdoor. This critical vulnerability bypasses standard password checks. Attackers can take over the device web interface without valid credentials.
Why It Matters
Network routers guard the border between local devices and the public internet. If an attacker breaches the router, they control the entire local network. This Tenda authentication backdoor gives attackers immediate administrative control. They can change network settings and disable crucial security features. An attacker could reroute traffic or intercept sensitive data passing through the network.
How the Attack Works
The web server binary /bin/httpd hosts the vulnerability. Specifically, the login() function contains the hidden mechanism. The system first tries normal MD5 password verification. If that fails, the function checks the password against a configuration value. The configuration file stores this hidden value as sys.rzadmin.password. A successful match grants level two administrative access. The system does not validate the username during this process. Any username paired with the secret password creates a valid session.
Affected Versions
The advisory lists five specific firmware versions. Affected models include FH1201, W15E, AC10, AC5, and AC6 variants.
Mitigation Steps
The vendor has not released a patch for CVE-2026-11405. Administrators must apply workarounds immediately. First, disable remote web management to block external internet attacks. Second, change the default LAN IP address. This step reduces discovery by automated scanners on local networks.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.