Tenda router owners should check their firmware and management exposure now: CERT/CC has published VU#213560 for CVE-2026-11405, an undocumented authentication backdoor in several Tenda firmware builds that can grant administrative access without the normal configured password.1 The alert was first published on July 6, 2026, and The Hacker News amplified the issue on July 7.2
The affected builds named by CERT/CC are US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T.1 Those strings are precise enough that administrators can compare them against the firmware version shown in the router dashboard before deciding whether the device should remain online.
The technical problem is not a normal weak password or default credential. CERT/CC says the router web server binary, /bin/httpd, follows the normal MD5-based password path first, but if that path fails it checks an alternate value from sys.rzadmin.password. If the supplied password matches that hidden value, the device creates an admin-level session. The username is not validated, which means the backdoor path is not tied to the visible administrator account.1
That distinction matters. Resetting the admin password may not remove the risk, because the vulnerable logic is in the firmware authentication flow. A successful attacker could change DNS settings, open or close ports, weaken Wi-Fi security, disable protections, or turn the router into a foothold for traffic interception and follow-on attacks. Similar router-control failures have repeatedly fed abuse patterns such as proxy botnets and exposed-device compromise, including campaigns HowToFix has covered around old D-Link routers being used as proxies, DD-WRT routers hit through UPnP flaws, and earlier reports of router backdoors in home-network equipment.
What Tenda owners should check now
There is no coordinated vendor fix at publication time. CERT/CC says it was unable to reach Tenda and did not receive a vendor statement, so the current response is mitigation rather than a clean patch cycle.1 Start by checking whether the device model and firmware build match the affected list. If it does, treat the web management interface as sensitive even when the visible admin password has been changed.
The most important immediate step is to disable remote web management. If the router exposes its admin panel to the internet, close that access path first. On local networks, restrict who can reach the management interface: remove guest-network access to the admin IP, avoid managing the router from untrusted Wi-Fi clients, and consider placing the device behind additional network controls where possible. CERT/CC also suggests changing the default LAN IP to reduce opportunistic scanner hits, while noting that this does not stop a deliberate local scan.1
Owners should also review router configuration for signs of tampering: unexpected DNS resolvers, new port-forwarding rules, remote-management settings that were turned on, changed firewall rules, unknown admin users, disabled security options, and unfamiliar DHCP or static-routing entries. If a fixed firmware build appears later, install it from Tenda’s official download channel only. If no fixed build is available for a vulnerable device that must protect a home office, small business, camera network, or payment terminal, replacement is the cleaner risk decision.
This is not currently listed in CISA’s Known Exploited Vulnerabilities catalog, and public reporting reviewed for this article did not show confirmed mass exploitation. Still, the combination of a hidden admin path, no patch, consumer/SOHO routers, and easy-to-forget remote-management settings makes CVE-2026-11405 worth handling before it becomes part of routine router-scanning noise.
References
- CERT Coordination Center, “VU#213560 – Tenda firmware (multiple versions) contains hidden authentication backdoor,” July 6, 2026. https://kb.cert.org/vuls/id/213560
- The Hacker News, “CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware,” July 7, 2026. https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html
- CISA, “Project Upskill Module 5: Secure Your Home Network,” referenced by CERT/CC as general hardening guidance. https://www.cisa.gov/audiences/high-risk-communities/projectupskill/module5
Leave a Comment