"An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials," the CERT Coordination Center (CERT/CC) warned Monday.
A concise summary of the risk
Several versions of firmware from Chinese network device maker Tenda embed an undocumented authentication backdoor that grants administrative access to the devices' web management interfaces, CERT/CC reported. The vulnerability, identified as CVE-2026-11405, allows an attacker to circumvent normal password verification and obtain full administrative privileges without valid credentials. The flaw was reported by an anonymous researcher and remains unpatched as of writing; The Hacker News has contacted Tenda for comment.
Affected Tenda firmware versions
CERT/CC named five specific firmware releases that contain the backdoor. They are listed exactly as published:
- US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
- US_AC10V1.0re_V15.03.06.46_multi_TDE01
- US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
- US_AC6V2.0RTL_V15.03.06.51_multi_T
How the backdoor operates inside /bin/httpd
The backdoor resides in the login() function of the device's /bin/httpd web server binary. Under normal operation the login flow performs an MD5-based password verification. If that verification fails, the code activates an alternate path that calls GetValue("sys.rzadmin.password") to retrieve a secondary password from the device configuration.
In that alternate path the user-supplied password is compared directly against the configuration-stored value in plaintext. If those values match, the application assigns an administrative role (role=2) and creates a valid session with elevated privileges. According to CERT/CC, the associated ["rzadmin"] username is not validated, so any provided username will succeed when paired with the backdoor password.
Consequences: what an attacker can do
CERT/CC warns that successful exploitation of this hidden authentication override allows full administrative access to the device's web interface regardless of the administrator account credentials. With such access, an attacker can make unauthorized remote modifications to settings, disable security features, or reconfigure the device—actions that the advisory says could lead to a complete device takeover.
What this means for technologists, end users, and adversaries
- Technologists and security teams: The issue is tracked as CVE-2026-11405 and, per the advisory, remains unpatched as of writing. CERT/CC's findings and the exact firmware strings above give teams concrete identifiers to search for in inventories and logs. The advisory also sets a near-term mitigation baseline for defenders.
- End users and the general public: CERT/CC advises disabling remote management on affected devices and changing the default LAN IP address to prevent bad actors from reaching the interface and to reduce opportunistic discovery by automated scanners that target known default IP ranges.
- Adversaries and automated scanners: The advisory makes explicit how an attacker can bypass password verification and that any username will succeed when paired with the backdoor password. The guidance to change default LAN IPs reflects an immediate countermeasure against opportunistic scanning that seeks devices at known default addresses.
As the record stands, the vulnerability was reported by an anonymous researcher and remains unpatched. The Hacker News has reached out to Tenda for comment and will update the report if the vendor responds. For now, the CERT/CC advisory and the listed firmware identifiers are the primary, actionable facts available to organizations and users assessing exposure.
Original reporting: https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html




