CVE-2026-11405 is a hidden authentication backdoor inside multiple Tenda router firmware builds that can hand an attacker full administrator access to the device’s web management panel, according to a CERT Coordination Center advisory.
CVE-2026-11405: how the backdoor works
CERT/CC says the undisclosed mechanism lives in the login() function of the router’s /bin/httpd web server binary. When a user attempts to log in the firmware first performs standard MD5-based authentication. If that fails, the code retrieves an alternate password from the sys.rzadmin.password configuration value and compares that value directly to the plaintext password supplied by the remote user. If the two strings match, the device grants administrator (role=2) access and creates a valid session regardless of the username entered. In short, “any username will be accepted by the mechanism as long as the backdoor password is supplied.”
What CERT/CC warns about the consequences
CERT/CC highlights the operational impact in plain terms: “Successful exploitation grants full administrative access to the device's web interface, regardless of the configured administrator account credentials.” The bulletin adds that control of the web interface enables an attacker to “reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network.” CERT/CC also notes the mechanism is undocumented and not exposed in the administrative interface, leaving users unaware of the risk.
Affected Tenda models and firmware versions
- US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD – Tenda FH1201 (WiFi router)
- US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE – Tenda W15E (WiFi router)
- US_AC10V1.0re_V15.03.06.46_multi_TDE01 – Tenda AC10 (WiFi router)
- US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 – Tenda AC5 (WiFi router)
- US_AC6V2.0RTL_V15.03.06.51_multi_T – Tenda AC6 V2 (WiFi router)
CERT/CC guidance and the current remediation status
CERT/CC reports that no patch is currently available and that the problem remains unfixed because the Chinese maker of the networking equipment could not be reached. The advisory recommends that affected users disable the remote web management panel to prevent internet access to the vulnerable interface. CERT/CC also advises restricting local network exposure by changing the default LAN IP address to reduce opportunistic discovery by automated scanners.
What this means for security teams, end users, and botnet operators
- Security teams and administrators: Treat internet-exposed web management as immediately risky for affected devices; follow CERT/CC’s recommendation to disable remote web management and change the default LAN IP. Monitor for unexpected configuration changes that could reflect unauthorized administrative sessions.
- End users and small networks: If you own one of the listed Tenda models, expect no vendor patch yet and prioritize disabling remote web management and altering default LAN addressing as temporary mitigations recommended by CERT/CC.
- Adversaries and automated botnets: CERT/CC observes no mention of active exploitation in the advisory, but warns the issue is “very likely to be targeted by botnets focusing on router flaws in the coming period,” making unattended devices attractive targets.
The vulnerability was discovered and reported to CERT/CC by an anonymous researcher. BleepingComputer contacted Tenda for comment and said it will add any response if received. The combination of an undocumented fallback password, an unreachable vendor, and no available patch leaves affected devices exposed to opportunistic scanning and automated attacks until vendor action or other mitigations are put in place.




