A newly disclosed vulnerability in multiple Tenda router firmware versions has exposed an undocumented authentication backdoor that lets attackers seize complete administrative control of affected devices, bypassing password protections entirely.
Tracked as CVE-2026-11405 and published under CERT/CC’s Vulnerability Note VU#213560 on July 6, 2026, the flaw affects widely deployed home and small-business networking equipment from Tenda, a major supplier of routers, switches, and wireless access points.
The vulnerability lives inside /bin/httpd, the web server binary that powers Tenda’s device management interface. Under normal conditions, the login() function verifies credentials using MD5-based password hashing, a standard, if aging, authentication approach.
But researchers found a hidden fallback path. If the standard authentication fails, the function silently calls GetValue("sys.rzadmin.password") to pull an alternate password stored in the device’s configuration. It then compares this value against the attacker’s input using a plaintext strcmp() check rather than a hashed comparison.
If the values match, the system grants role=2 admin-level access and issues a valid session token; no legitimate credentials required. Compounding the issue, the associated username field isn’t validated at all, meaning any username paired with the correct backdoor password succeeds.
CERT/CC identified five specific firmware builds as vulnerable:
- US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
- US_AC10V1.0re_V15.03.06.46_multi_TDE01
- US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
- US_AC6V2.0RTL_V15.03.06.51_multi_T
Given Tenda’s global footprint in consumer and SOHO networking gear, the actual exposure could extend beyond this initial list, particularly if the backdoor mechanism is shared across other firmware branches.
Successful exploitation hands attackers the keys to the entire network perimeter. With admin access, they can reconfigure DNS settings, disable firewall rules, intercept traffic, or pivot deeper into connected devices, turning a single router compromise into a foothold for broader network infiltration.
CERT/CC noted it was unable to establish contact with Tenda to coordinate disclosure, leaving the vulnerability unpatched at time of publication. Until a fix materializes, the advisory recommends two mitigations:
- Disable remote management if your device exposes the web interface to the internet, closing off external exploitation
- Change the default LAN IP address to reduce discovery by automated scanners, though this won’t stop targeted attacks
Hardcoded and undocumented backdoors remain a persistent blind spot in consumer IoT and networking hardware, often surviving unnoticed for years because they bypass normal authentication logging and don’t appear in any admin-facing documentation.
This incident underscores why security researchers routinely recommend firmware binary analysis as part of vulnerability research; flaws like this rarely surface through conventional penetration testing alone.