The CERT Coordination Center (CERT/CC) has identified a critical security vulnerability in several firmware versions of Tenda routers, a Chinese network device manufacturer. This flaw, designated as CVE-2026-11405, involves an undocumented backdoor that allows unauthorized administrative access to the devices’ web management interfaces.
The affected firmware versions include:
- US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
- US_AC10V1.0re_V15.03.06.46_multi_TDE01
- US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
- US_AC6V2.0RTL_V15.03.06.51_multi_T
The backdoor resides within the “login()” function of the “/bin/httpd” web server binary. Under normal circumstances, this function authenticates users through MD5-based password verification. However, if authentication fails, the function triggers an alternative code path that retrieves a hidden password from the device’s configuration using the “GetValue(“sys.rzadmin.password”)” call. If the user-supplied password matches this hidden value, the system grants administrative access (role=2) and establishes a valid session with elevated privileges.
Notably, the associated username is not validated, meaning any username can be used in conjunction with the backdoor password to gain access. This authentication mechanism is neither documented nor visible through any administrative interface, making it particularly insidious.
Exploiting this vulnerability allows attackers to bypass standard authentication protocols, granting them full administrative control over the device. This control enables unauthorized modifications to settings, disabling of security features, and complete reconfiguration of the router, potentially leading to a total device compromise.
As of now, Tenda has not released a patch to address this issue. Users are advised to take the following precautionary measures:
- Disable remote management on the device to prevent unauthorized external access.
- Change the default LAN IP address to reduce the risk of discovery by automated scanners targeting known default IP ranges.
This incident underscores the critical importance of transparency and security in firmware development. Undocumented backdoors pose significant risks, as they can be exploited by malicious actors to gain unauthorized access to network devices. Users should remain vigilant, regularly update their devices, and apply security best practices to mitigate potential threats.