Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

Hidden backdoor in Tenda router firmware grants admin access

0
Low
Vulnerabilityweb
Published: 07/07/2026 (07/07/2026, 17:27:22 UTC)
Source: Bleeping Computer

Description

A hidden authentication backdoor exists in multiple Tenda router firmware versions, allowing an attacker to gain administrative access to the device's web management panel by supplying a special backdoor password. This undocumented mechanism bypasses normal authentication, granting full admin rights regardless of the username. The issue remains unpatched as the vendor has not responded. Users are advised to disable remote web management and restrict local network exposure to mitigate risk.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/07/2026, 17:28:34 UTC

Technical Analysis

CVE-2026-11405 is a vulnerability in multiple Tenda router firmware versions caused by an undocumented authentication backdoor in the 'login()' function of the '/bin/httpd' web server binary. When standard MD5-based authentication fails, the firmware compares the supplied plaintext password against a hidden configuration value 'sys.rzadmin.password'. If they match, the device grants administrator access and creates a valid session regardless of the username. This backdoor is not documented or visible in the administrative interface, leaving users unaware of the risk. Successful exploitation allows full administrative control over the router, enabling reconfiguration, network setting changes, and disabling security features. Affected firmware versions include specific builds for Tenda FH1201, W15E, AC10, AC5, and AC6 V2 models. CERT/CC reports no patch is currently available and recommends disabling remote web management and restricting LAN exposure.

Potential Impact

Exploitation grants full administrative access to the router's web interface regardless of configured administrator credentials. An attacker can reconfigure the device, alter network settings, and disable security features, potentially enabling broader compromise of the local network. No active exploitation has been reported yet, but the vulnerability is likely to be targeted by botnets and automated attacks.

Mitigation Recommendations

No official patch or fix is currently available as the vendor has not responded. Users should disable the remote web management panel to prevent internet access to the vulnerable interface. Additionally, it is recommended to reduce local network exposure by changing the default LAN IP address to limit opportunistic discovery by automated scanners. Monitor vendor advisories for any future updates or patches.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Threat ID: 6a4d373ac9d9e3dbe39163c4

Added to database: 07/07/2026, 17:28:26 UTC

Last enriched: 07/07/2026, 17:28:34 UTC

Last updated: 07/07/2026, 17:56:51 UTC

Views: 4

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses