Hidden Backdoor in Tenda Router Firmware Grants Admin Access
What happened
A hidden authentication backdoor has been found by the CERT Coordination Center of Carnegie Mellon University’s Software Engineering Institute in multiple Tenda router firmware versions, potentially allowing an attacker to gain administrative access to the device’s web management panel. The issue is tracked as CVE-2026-11405 and remains unfixed because the vendor could not be reached through the coordination process.
The vulnerability is caused by an undocumented authentication mechanism in the login function of the router’s web server binary. When a user attempts to log in, the firmware first performs the standard MD5-based authentication check. If that fails, the device retrieves an alternate password from a configuration value and compares it directly against the plaintext password supplied by the remote user.
If the supplied password matches that hidden configuration value, the router grants administrator access and creates a valid session regardless of the username entered. The mechanism is not documented or exposed in the administrative interface, leaving users unaware that a separate backdoor-style password path exists.
The flaw affects several Tenda WiFi router firmware versions, including models FH1201, W15E, AC10, AC5, and AC6 V2. No patch is currently available. Users are advised to disable remote access to the web management panel and reduce local discovery risk by changing the default LAN IP address. There is no reported active exploitation yet, but router backdoors and authentication bypasses are likely targets for botnets that scan for exposed consumer and small-business devices.
Who is affected
Users and organizations running affected Tenda router firmware are directly affected, especially if the router’s web management interface is exposed to the internet.
Small businesses, branch offices, home offices, and unmanaged networks face higher risk if vulnerable routers are used as perimeter devices without monitoring, firmware review, or remote management restrictions.
The impact can extend beyond the router itself. With administrative access, an attacker could change network settings, weaken security features, redirect traffic, alter DNS configuration, or use the device as a foothold for broader compromise of the local network.
Why CISOs should care
This issue shows how hidden authentication mechanisms in network equipment can create serious exposure even when administrators believe they have set strong credentials.
For CISOs, the router management interface is the key risk. If exposed, a vulnerable device may be compromised without the attacker needing the configured administrator username or password.
The lack of a patch also changes the mitigation strategy. Security teams cannot simply wait for an update and must instead reduce exposure by disabling remote management, restricting local access, and replacing affected devices where risk is unacceptable.
The case also reinforces the need to include small-office and edge networking devices in asset management. Routers, firewalls, and access points are often treated as set-and-forget infrastructure, but they can become high-value entry points for botnets and targeted attackers.
3 practical actions
Disable remote web management: Affected users should prevent internet access to the router’s management panel. Administrative access should be limited to trusted local networks or dedicated management paths.
Review and replace affected devices where needed: Because no patch is available, organizations should identify Tenda FH1201, W15E, AC10, AC5, and AC6 V2 devices running affected firmware and consider replacement if exposure cannot be sufficiently reduced.
Harden local network access to router administration: Security teams should change default LAN addressing where appropriate, restrict who can reach the management interface, monitor for unauthorized configuration changes, and review DNS, firewall, and remote access settings for tampering.
More in cybersecurity:
Accenture Confirms Breach After Hacker Offers Stolen Data for Sale
16-Year-Old Linux KVM Flaw Enables Guest-to-Host Escape Risk
TrojPix Attack Leaks Data From Air-Gapped Systems Through Video Cable Emissions
Gemini Live Voice Session Flaw Enables Tool Injection Through Ephemeral Tokens


