Cybersecurity researchers have uncovered a critical, unpatched vulnerability in popular Tenda networking hardware that allows attackers to gain full administrative control without any valid login credentials. The issue, disclosed by the CERT Coordination Center (CERT/CC) on July 6, stems from an undocumented authentication backdoor embedded in the firmware of several router models.
How the hidden backdoor bypasses router security
The flaw, tracked as CVE-2026-11405, resides in the web management interface of affected devices. Unlike typical authentication failures that simply reject invalid login attempts, this backdoor executes a secondary, hidden authentication routine when the standard password check fails.
When a user submits credentials via the web interface, the firmware first verifies the password using a standard MD5-based check. If that fails, the system silently retrieves an alternate password stored under the configuration key sys.rzadmin.password and compares it against the input using strcmp(). If the passwords match, the device grants full administrator privileges—regardless of the username entered. This means any username can be used as long as the hidden password is supplied, effectively bypassing the configured administrator account entirely.
Which Tenda routers are at risk—and what attackers can do
CERT/CC has identified five affected firmware versions across multiple router families, including FH1201, W15E, AC10, AC5, and AC6. However, the list may not be exhaustive, as Tenda has not provided a comprehensive breakdown of vulnerable models. The lack of vendor response further complicates mitigation efforts.
Successful exploitation grants attackers unrestricted access to the router’s configuration. Potential abuse includes:
- - Modifying DNS settings to redirect traffic to malicious servers.
- - Disabling built-in security features like firewalls or parental controls.
- - Replacing administrator credentials to lock out legitimate users.
- - Enabling remote administration ports for persistent access.
Because routers act as gateways between local devices and the internet, a compromised unit can expose every connected system to further attacks, including data theft or botnet recruitment.
Why this backdoor is especially dangerous—and what users can do
Unlike conventional authentication flaws that stem from coding errors, this backdoor represents a separate, undocumented login path. Its presence raises serious questions about intent: Was it deliberately inserted, or left behind as a forgotten development artifact? CERT/CC has not drawn conclusions, and Tenda’s silence offers no clarity.
Until an official patch becomes available, CERT/CC recommends several mitigation steps:
- - Disable remote web management to prevent external attackers from accessing the interface.
- - Limit local network exposure by changing the router’s default LAN IP address.
- - Monitor network traffic for unusual DNS or routing changes.
The disclosure underscores broader concerns raised by regulators like the FCC, which has moved to restrict certain foreign-made networking devices due to supply-chain security risks. An unpatched backdoor in widely deployed routers highlights the real-world impact of such vulnerabilities on home and small-business networks.
Tenda has yet to acknowledge the issue or release a timeline for a fix, leaving users reliant on workarounds to reduce their exposure. The situation serves as a stark reminder of the importance of proactive security practices—and the risks posed by undocumented features in consumer hardware.
AI summary
Tenda yönlendiricilerde keşfedilen ve hiçbir parola gerektirmeyen gizli bir yönetici arka kapısıyla ilgili her şey. Açığı nasıl tespit edersiniz ve nasıl korunabilirsiniz? Ayrıntılar burada.



