Hidden Tenda Router Backdoor Grants Admin Access, No Patch Available

CERT/CC warns an unpatched backdoor in several Tenda routers lets attackers bypass login and gain full admin access with a hidden password.

CERT/CC published an alert documenting an undocumented authentication backdoor in multiple Tenda firmware versions, tracked as CVE-2026-11405. The flaw gives anyone who knows the right password full administrative access to the device’s web management interface, regardless of whatever password the actual owner has set. The vendor hasn’t responded, and the vulnerability remains unpatched.

“Several versions of Tenda firmware contain an undocumented authentication backdoor that grants administrative access to the devices’ web management interfaces.” reads the advisory published by CERT/CC. “An attacker can expoit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials.”

The affected firmware versions span several product lines: the FH1201, W15E, AC10, AC5, and AC6. Tenda sells home and business networking gear including routers, switches, wireless access points, and video surveillance equipment. All of these products include a web interface protected by username and password authentication. Or so the documentation says.

The authentication logic sits in the login() function inside the web server binary /bin/httpd. When someone tries to log in, the function first runs through the normal process: MD5-based password hashing, comparison, the usual. If that check fails, instead of stopping there, it does something else entirely.

A matching value grants role=2, which is admin-level access, and creates a valid session with full privileges.

The username field doesn’t matter at all.

“However, if authentication fails, the function invokes GetValue("sys.rzadmin.password") to retrieve an alternate password value from the device configuration. It then performs a direct strcmp() comparison in plaintext between the user-supplied password and the configuration-stored value. A successful match grants role=2 admin-level access and creates a valid session.” continues the advisory. “The associated username is not validated, so any provided username will succeed when paired with the backdoor password.”

An attacker can enter any username and the hidden backdoor password to log in as an administrator. The router’s configured username and password are completely bypassed.

Full admin access to a router’s web interface gives attackers full control of the device. An attacker can redirect traffic by changing DNS settings, disable security features, reconfigure the network, or use the device as a stepping stone into whatever’s connected behind it. The CERT/CC advisory describes the potential outcome as a complete device takeover.

“Successful exploitation grants full administrative access to the device’s web interface, regardless of the configured administrator account credentials.” CERT/CC states. “With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network.”

The backdoor is baked into the firmware binary, not into any configuration file an admin can edit or reset. The hidden password value lives in the device configuration under sys.rzadmin.password, which means it shipped this way from Tenda intentionally, not as something an owner could accidentally trigger. There’s no way to disable it from the management interface because it isn’t visible there at all.

The vulnerability was reported by an anonymous researcher. Tenda hasn’t acknowledged it or provided any timeline for a fix. CERT/CC’s interim recommendations are to disable remote management on the device, which removes exposure to attackers coming in from the internet, and to change the default LAN IP address to reduce how easily automated scanners can find and probe the device.

No owner-side configuration change removes the code path. Until Tenda ships updated firmware that strips this out entirely, the only meaningful mitigation is making sure the device is unreachable from the internet, and reconsidering whether it should stay in production at all.

If you’re running any of the five affected firmware versions, disable remote management immediately and monitor for a firmware update from Tenda. Given the silence so far, it’s unclear when or whether one will arrive.

“Changing the default LAN IP address may reduce opportunistic discovery by automated scanners that target known default IP ranges. Note that this measure does not prevent deliberate or targeted network scanning.”concludes the advisory.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Tenda)

Leave a Reply

Your email address will not be published. Required fields are marked *

Subscribe to our Newsletter