Hidden backdoor in Tenda router firmware grants admin access
A hidden authentication backdoor exists in multiple Tenda router firmware versions, allowing an attacker to gain administrative access to the device's web management panel by supplying a special backdoor password. This undocumented mechanism bypasses normal authentication, granting full admin rights regardless of the username. The issue remains unpatched as the vendor has not responded. Users are advised to disable remote web management and restrict local network exposure to mitigate risk.
AI Analysis
Technical Summary
CVE-2026-11405 is a vulnerability in multiple Tenda router firmware versions caused by an undocumented authentication backdoor in the 'login()' function of the '/bin/httpd' web server binary. When standard MD5-based authentication fails, the firmware compares the supplied plaintext password against a hidden configuration value 'sys.rzadmin.password'. If they match, the device grants administrator access and creates a valid session regardless of the username. This backdoor is not documented or visible in the administrative interface, leaving users unaware of the risk. Successful exploitation allows full administrative control over the router, enabling reconfiguration, network setting changes, and disabling security features. Affected firmware versions include specific builds for Tenda FH1201, W15E, AC10, AC5, and AC6 V2 models. CERT/CC reports no patch is currently available and recommends disabling remote web management and restricting LAN exposure.
Potential Impact
Exploitation grants full administrative access to the router's web interface regardless of configured administrator credentials. An attacker can reconfigure the device, alter network settings, and disable security features, potentially enabling broader compromise of the local network. No active exploitation has been reported yet, but the vulnerability is likely to be targeted by botnets and automated attacks.
Mitigation Recommendations
No official patch or fix is currently available as the vendor has not responded. Users should disable the remote web management panel to prevent internet access to the vulnerable interface. Additionally, it is recommended to reduce local network exposure by changing the default LAN IP address to limit opportunistic discovery by automated scanners. Monitor vendor advisories for any future updates or patches.
Hidden backdoor in Tenda router firmware grants admin access
Description
A hidden authentication backdoor exists in multiple Tenda router firmware versions, allowing an attacker to gain administrative access to the device's web management panel by supplying a special backdoor password. This undocumented mechanism bypasses normal authentication, granting full admin rights regardless of the username. The issue remains unpatched as the vendor has not responded. Users are advised to disable remote web management and restrict local network exposure to mitigate risk.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
CVE-2026-11405 is a vulnerability in multiple Tenda router firmware versions caused by an undocumented authentication backdoor in the 'login()' function of the '/bin/httpd' web server binary. When standard MD5-based authentication fails, the firmware compares the supplied plaintext password against a hidden configuration value 'sys.rzadmin.password'. If they match, the device grants administrator access and creates a valid session regardless of the username. This backdoor is not documented or visible in the administrative interface, leaving users unaware of the risk. Successful exploitation allows full administrative control over the router, enabling reconfiguration, network setting changes, and disabling security features. Affected firmware versions include specific builds for Tenda FH1201, W15E, AC10, AC5, and AC6 V2 models. CERT/CC reports no patch is currently available and recommends disabling remote web management and restricting LAN exposure.
Potential Impact
Exploitation grants full administrative access to the router's web interface regardless of configured administrator credentials. An attacker can reconfigure the device, alter network settings, and disable security features, potentially enabling broader compromise of the local network. No active exploitation has been reported yet, but the vulnerability is likely to be targeted by botnets and automated attacks.
Mitigation Recommendations
No official patch or fix is currently available as the vendor has not responded. Users should disable the remote web management panel to prevent internet access to the vulnerable interface. Additionally, it is recommended to reduce local network exposure by changing the default LAN IP address to limit opportunistic discovery by automated scanners. Monitor vendor advisories for any future updates or patches.
Threat ID: 6a4d373ac9d9e3dbe39163c4
Added to database: 07/07/2026, 17:28:26 UTC
Last enriched: 07/07/2026, 17:28:34 UTC
Last updated: 07/07/2026, 17:56:51 UTC
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.