CERT/CC Flags Undocumented Admin Backdoor in Tenda Router Firmware

The CERT Coordination Center (CERT/CC) has issued an alert about a hidden authentication mechanism found in several Tenda router firmware releases. The flaw, tracked as CVE-2026-11405, can allow an at...

The CERT Coordination Center (CERT/CC) has issued an alert about a hidden authentication mechanism found in several Tenda router firmware releases. The flaw, tracked as CVE-2026-11405, can allow an attacker to bypass normal password checks and reach the web administration interface with full privileges.

According to CERT/CC, the issue affects the /bin/httpd web server component used by the routers’ management interface. During login, the code first attempts standard MD5-based password verification. If that check fails, it follows a second path that retrieves a value from the device configuration, sys.rzadmin.password, and compares it directly with the password entered by the user. When the values match, the session is granted administrator access.

The alert notes that the associated username is not meaningfully validated, which means any username can be used if the password matches the hidden value. CERT/CC said the mechanism is not documented and does not appear in the normal administrative interface, making it effectively a concealed backdoor rather than a standard feature.

Firmware versions identified as affected

  • US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
  • US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
  • US_AC10V1.0re_V15.03.06.46_multi_TDE01
  • US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
  • US_AC6V2.0RTL_V15.03.06.51_multi_TDE01

If exploited, the flaw could give an attacker the ability to change router settings, turn off security controls, or reconfigure the device entirely. That could expose connected networks to traffic interception, service disruption, or broader compromise.

The vulnerability was reported by an anonymous researcher and remains unpatched at the time of publication. In the meantime, CERT/CC recommends limiting exposure by disabling remote administration and changing the default LAN IP address to reduce the chance of automated discovery and opportunistic attacks.