Hidden Backdoor in Tenda Router Firmware Allows Attackers to Gain Admin Access
A hidden authentication backdoor has been discovered in several Tenda router firmware versions, potentially allowing attackers to gain full administrative control of affected devices.
The vulnerability, tracked as CVE-2026-11405, was reported by the CERT Coordination Center (CERT/CC). The issue exists because of an undocumented authentication method inside the router’s web server software. CERT/CC says the vulnerability remains unpatched because Tenda could not be reached for a response.
The flaw is located in the router’s /bin/httpd web server binary and affects the login() function. Normally, the router uses standard MD5-based authentication to verify users. However, if that process fails, the firmware checks a hidden configuration value called sys.rzadmin.password.
If the supplied password matches this hidden value, the router grants administrator-level access regardless of the username entered. This means attackers who know the backdoor password could bypass normal account protections and access the device’s management interface.
With administrative access, attackers could change network settings, disable security protections, modify router configurations, and potentially compromise other devices connected to the same network.
The vulnerability affects several Tenda router models and firmware versions, including:
- Tenda FH1201
- Tenda W15E
- Tenda AC10
- Tenda AC5
- Tenda AC6 V2
CERT/CC says no official security update is currently available. Users are advised to disable remote web management to prevent attackers from accessing the vulnerable interface over the internet.
Security experts also recommend reducing exposure by changing default LAN settings and limiting access to the router’s administrative panel to reduce the risk of automated attacks.
The vulnerability was discovered and reported by an anonymous security researcher.
Leave a comment