Hidden backdoor in Tenda router firmware grants admin access

A security vulnerability has been discovered in the firmware of several Tenda router models, creating a hidden backdoor that could allow unauthorized administrative access. The issue, tracked as CVE-2026-11405, stems from an undocumented authentication mechanism within the device's web server.
According to the CERT Coordination Center (CERT/CC), this backdoor bypasses standard login procedures. When a user attempts to authenticate, the router first tries a conventional MD5-based method. If this fails, the firmware then checks a specific configuration value, 'sys.rzadmin.password', against a plaintext password provided by the user. If these match, the device grants administrator privileges, identified as role=2, and establishes a valid session, irrespective of the username entered.

This hidden authentication method is not documented and is not indicated on the administrative interface, leaving users unaware of the potential risk. Successful exploitation grants an attacker full control over the device's web interface, overriding any existing administrator credentials. This level of access would enable an attacker to reconfigure the router, modify network settings, and disable security features, potentially leading to a broader compromise of the local network.
The vulnerability affects specific firmware versions for several Tenda router models, including the FH1201, W15E, AC10, AC5, and AC6 V2. The affected firmware versions are listed as US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T.
As of the report, CERT/CC indicates that Tenda has not yet released a patch to address this vulnerability. The networking equipment manufacturer has reportedly been difficult to reach regarding the issue.

Given the lack of a fix, users of the affected Tenda routers are advised to disable the remote web management panel to prevent internet-accessible exploitation of the vulnerable interface. Additionally, it is recommended to restrict local network exposure by changing the default LAN IP address. This measure can help reduce the chances of opportunistic discovery by automated scanning tools.
The CVE-2026-11405 vulnerability was discovered and reported to CERT/CC by an anonymous researcher. While there is no current information about active exploitation, security experts anticipate that botnets targeting router vulnerabilities may soon attempt to exploit this flaw.





