Tenda routers ship a hidden backdoor password — CVE-2026-11405 unpatched
CERT/CC disclosed CVE-2026-11405 on July 6: five Tenda firmware images ship a plaintext strcmp() backdoor in /bin/httpd. Tenda didn't respond and no patch is available.
The CERT Coordination Center published VU#213560 on July 6, 2026, disclosing CVE-2026-11405 — an undocumented authentication backdoor in the web management interface of five Tenda SOHO devices. The login() function inside /bin/httpd reads an alternate password from device configuration and compares it in plaintext against whatever a remote user submits. A match hands over administrator (role=2) access. Tenda did not respond to CERT/CC's coordinated disclosure attempts, and no patch is available at time of writing.
What the backdoor does
CERT/CC's advisory describes the mechanism in detail. The login() handler in /bin/httpd first runs the standard MD5-based credential check. On failure — the normal path a wrong password takes — it does not return an error. Instead it invokes GetValue("sys.rzadmin.password") to fetch a secondary password value from the device's non-volatile configuration store, then runs a direct strcmp() between that plaintext value and the password the client sent over HTTP. If they match, the handler creates a session, assigns the connecting user administrator role (role=2), and does not validate the username field at all — any string, including one that maps to no real account, will succeed.
The consequence: anyone who reaches the web UI and knows or guesses the value stored under sys.rzadmin.password is instantly an administrator on the router. On an internet-exposed device with remote management enabled, that is one HTTP request from unauthenticated to full config-plane control — DNS, routing, port forwards, firmware upload.
Affected models and firmware
CERT/CC lists five specific firmware images:
- Tenda FH1201 —
US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD - Tenda W15E —
US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE - Tenda AC10 —
US_AC10V1.0re_V15.03.06.46_multi_TDE01 - Tenda AC5 —
US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 - Tenda AC6 V2 —
US_AC6V2.0RTL_V15.03.06.51_multi_T
CERT/CC also notes that other Tenda images share code with the httpd binary in these builds; the list above is what has been confirmed hands-on, not an upper bound. Treat any Tenda SOHO router in production as suspect until you have run the string-search below.
Exploitation status
- No confirmed in-the-wild exploitation at time of publication. CERT/CC's VU#213560 states no active abuse has been observed and lists no public PoC. Reporting at BleepingComputer, The Hacker News, and Tom's Hardware tracks the same framing.
- CVE-2026-11405 is not on the CISA Known Exploited Vulnerabilities catalog as of publication.
- No vendor patch. CERT/CC records repeated coordinated-disclosure attempts to Tenda between April and June with no substantive response.
Action checklist
- Inventory Tenda devices reachable from the WAN. If the WAN-side interface answers on TCP/80 or TCP/443, remote management is on; that is the exploitation surface. Turn it off (
System Tools > Remote Web Management) from the LAN side today. Do not wait for a firmware. - Rotate the LAN-side management address off the default
192.168.0.1/192.168.1.1and put the management interface on a VLAN that no user endpoint can route to. This does not fix the bug — it narrows the attackers who can reach it. - Retire and replace where the device sits on a production edge. These are consumer/SOHO models with no supported patch path; a Tenda AC10 or AC5 fronting a small business or branch office should be swapped for a vendor with an active advisory pipeline. Treat the swap as a scheduled task, not a "someday."
- Sweep for compromise before you assume clean. The primitive is a full-config admin session, so evidence would sit in the router's config: unexpected DNS servers under WAN settings, unfamiliar port-forward rules, admin accounts you didn't create, altered firmware image checksums where you can pull them.
- If you are an ISP or MSP with fleet visibility, banner-grab the Tenda
httpdfingerprint across the address space you serve and notify customers before you get a KEV clock ticking against you. There is no upstream fix to deploy, so notification and replacement are the only levers.
Context
This is the second undocumented SOHO-router backdoor in twelve months where the vendor stopped answering the researchers who found it. The pattern — hardcoded or configuration-stored secondary credential, strcmp() fallback path in the login handler, admin role assigned without username validation — is the same shape as CVE-2024-6047 in Zyxel LTE routers and CVE-2023-49559 in D-Link DIR-x models. What is different here is the disclosure endgame: CERT/CC published without a coordinated fix, which they do only when the vendor has effectively withdrawn from the conversation. That is the escalation signal for procurement — a router line whose vendor has stopped responding to CERT/CC is not a router line you should be buying in 2026.
The KEV timeline is worth watching. CVE-2026-11405 has the exact profile CISA has been adding fast this year: unauthenticated remote admin on a widely deployed default-configuration device with no patch. If it lands on the catalog, US federal agencies get 21 days to prove the affected devices are off the network — and there is no fix to install, so the deadline collapses to "replace or disconnect."