Tenda Routers Exposed to Critical Authentication Backdoor

Recent findings have unveiled a significant security flaw in Tenda network devices, specifically an undocumented authentication backdoor that permits attackers to obtain full administrative access without valid credentials. This vulnerability, identified as CVE-2026-11405, affects multiple firmware versions across several Tenda router models, including the FH1201, W15E, AC10, AC5, and AC6 series.

The CERT Coordination Center (CERT/CC) highlighted this issue in Vulnerability Note VU#213560 on July 6, 2026. Tenda routers are commonly utilized in home and small business settings, where they rely on web-based management interfaces secured by username and password authentication.

Technical Details of the Backdoor

The vulnerability resides within the web server binary located at /bin/httpd. Specifically, the login() function contains an undocumented authentication mechanism. Under normal circumstances, this function validates user credentials using an MD5-based password verification process. However, when authentication fails, the function follows an alternate execution path that introduces a hidden backdoor.

This backdoor retrieves a secondary password value from the device configuration using the GetValue("sys.rzadmin.password") function. Instead of applying standard hashing or secure comparison, the system performs a direct plaintext strcmp() comparison between the supplied password and the stored value. If the comparison succeeds, the system grants administrative privileges by assigning role=2 and creates a valid session.

Notably, the username is not validated during this fallback process, meaning an attacker can use any arbitrary username alongside the backdoor password to gain full administrative control. The presence of this mechanism is not documented and cannot be identified through the standard administrative interface, making it particularly dangerous.

Potential Impact and Mitigation

Successful exploitation enables attackers to fully compromise affected devices. With administrative access, attackers can modify network configurations, redirect traffic, disable security controls, or deploy malicious firmware. This level of control can facilitate broader attacks, including man-in-the-middle interception, persistence within the network, and lateral movement to other connected systems.

At the time of disclosure, no official patch or firmware update has been released by Tenda, and attempts to coordinate with the vendor were unsuccessful. As a result, users are advised to take immediate mitigation steps to reduce exposure. Security experts recommend disabling remote web management features to prevent external access to the device’s interface. Additionally, changing the default local IP address may reduce the likelihood of automated scanning attacks targeting known address ranges; however, it does not deter determined attackers.

The discovery of these hidden backdoors raises serious concerns about firmware security practices and the trustworthiness of the supply chain. Users and organizations relying on affected Tenda devices should closely monitor for updates and consider replacing vulnerable hardware if no fix becomes available.

This incident underscores the critical importance of transparency and rigorous security practices in firmware development. Manufacturers must prioritize the elimination of undocumented access mechanisms to maintain user trust and ensure the integrity of network devices. Users should remain vigilant, regularly update firmware, and implement robust security configurations to safeguard their networks against such vulnerabilities.