Hidden authentication backdoor found in multiple Tenda router firmware versions
Security researchers have identified a hidden authentication mechanism in several Tenda router firmware builds that could let a remote attacker reach the device’s web management interface with adminis...
Security researchers have identified a hidden authentication mechanism in several Tenda router firmware builds that could let a remote attacker reach the device’s web management interface with administrative privileges. The flaw is tracked as CVE-2026-11405 and, according to CERT/CC, it remains unpatched.
CERT/CC says the issue stems from an undocumented code path in the login() routine inside the router’s /bin/httpd web server binary. Under normal conditions, the firmware checks credentials using an MD5-based login process. If that check fails, however, the device appears to fall back to an alternate password stored in the sys.rzadmin.password configuration value. If the supplied password matches that value, the router grants administrator access and opens a valid session, even if the username is incorrect or entirely arbitrary.
Because the mechanism is not described in the product documentation or exposed in the admin interface, users would have no obvious indication that this secondary login path exists. CERT/CC warned that successful abuse would give an attacker control over the router’s configuration, network settings, and security features, which could then be used to expand access across the local network.
Affected devices
- Tenda FH1201 running US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- Tenda W15E running US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
- Tenda AC10 running US_AC10V1.0re_V15.03.06.46_multi_TDE01
- Tenda AC5 running US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
- Tenda AC6 V2 running US_AC6V2.0RTL_V15.03.06.51_multi_T
At the time of publication, no fix is available. CERT/CC advises owners to disable remote web management to reduce internet exposure and, where possible, change the default LAN IP address to make automated discovery by scanners less likely.
The issue was reported by an anonymous researcher. While there is no confirmed evidence of active exploitation yet, router vulnerabilities are frequently targeted by botnets, making rapid abuse a realistic concern.
