Backdoor Vulnerability in Tenda Routers Allows Attackers to Bypass Login and Gain Administrator Privileges, With No Patch Available

Views: 41 views

371/69 Wednesday, July 8, 2026

CERT/CC has issued an advisory for CVE-2026-11405, an authentication vulnerability affecting the firmware of several Tenda router models. The vulnerability allows attackers who know a specific password to bypass login and access the device’s web management interface with administrator privileges without using valid credentials. This is possible even if the device owner has already configured an administrator password. Tenda has not yet responded to the report, and no patch is available at the time of reporting.

The vulnerability affects firmware for several products, including FH1201, W15E, AC10, AC5, and AC6. Analysis found that the authentication logic is located in the login() function inside the web server binary file /bin/httpd. When a user attempts to log in, the system performs the normal password verification process, such as hashing the password with MD5 and comparing it against the stored password value. However, if this check fails, the system retrieves a backup password from the device configuration and compares it with the password entered by the user in plaintext. If the values match, the system grants administrator-level access and creates a session with full privileges without verifying the username. As a result, an attacker can enter any username together with the specific password to log in to the system.

Gaining administrator privileges on a router allows an attacker to control the device, such as changing DNS settings, disabling security features, modifying network configurations, or using the router as a foothold to reach other devices inside the network. CERT/CC stated that the vulnerability is embedded in the firmware and is not a configuration setting that administrators can disable or modify through the management interface. Therefore, there is currently no direct way for users to eliminate the risk until Tenda releases a firmware update. Administrators should immediately disable remote management, prevent the device from being accessible from the internet, change the default LAN IP address to reduce the chance of automated scanning, and monitor firmware updates from the vendor.

Source: https://securityaffairs.com/194878/security/hidden-tenda-router-backdoor-grants-admin-access-no-patch-available.html