[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fVTAKk7zwJrFyFhOJn2WAHSfhj1H7Jl0ejW9f-27MLH4":3},{"article":4,"iocs":50},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":32,"category":33,"article_tags":37},"d7a608b1-bd6b-47fa-8c50-aa0f3b63dc4c","Hidden backdoor in Tenda router firmware grants admin access","hidden-backdoor-in-tenda-router-firmware-grants-admin-access-cede3d","A hidden authentication backdoor has been found in multiple Tenda router firmware versions, potentially allowing an attacker to gain administrative access to the device's web management panel. [...]","A critical authentication backdoor, CVE-2026-11405, has been discovered in multiple Tenda router firmware versions. This vulnerability allows attackers to gain administrative access to the device's web management panel by exploiting an undocumented mechanism. The vendor has not yet provided a fix, and users are advised to disable remote management.","Tenda router firmware contains a hidden backdoor allowing admin access via CVE-2026-11405.","Hidden backdoor in Tenda router firmware grants admin access By Bill Toulas July 7, 2026 01:27 PM 0 A hidden authentication backdoor has been found in multiple Tenda router firmware versions, potentially allowing an attacker to gain administrative access to the device's web management panel. According to a security bulletin from the CERT Coordination Center, the issue remains unfixed because the Chinese maker of the networking equipment couldn't be reached. CERT\u002FCC says the issue, tracked as CVE-2026-11405, is caused by an undocumented authentication mechanism in the 'login()' function of the '\u002Fbin\u002Fhttpd' web server binary. If a user attempts to log in, the router firmware will perform standard MD5-based authentication. If that fails, it will retrieve an alternate password from the 'sys.rzadmin.password' configuration value and compare it directly to the plaintext password supplied by the remote user. If the passwords match, the device grants administrator (role=2) access and creates a valid session, regardless of the username entered. So any username will be accepted by the mechanism as long as the backdoor password is supplied. CERT\u002FCC says this mechanism isn't documented anywhere, or mentioned on the administrative interface, leaving users unaware of the risk. \"Successful exploitation grants full administrative access to the device's web interface, regardless of the configured administrator account credentials,\" describes CERT\u002FCC. \"With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network.\" CVE-2026-11405 impacts the following Tenda firmware versions and devices: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD – Tenda FH1201 (WiFi router) US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE – Tenda W15E (WiFi router) US_AC10V1.0re_V15.03.06.46_multi_TDE01 – Tenda AC10 (WiFi router) US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 – Tenda AC5 (WiFi router) US_AC6V2.0RTL_V15.03.06.51_multi_T – Tenda AC6 V2 (WiFi router) CERT\u002FCC reports that no patch is currently available, and Tenda users are advised to disable the remote web management panel to prevent internet access to the vulnerable interface. Additionally, it is recommended to restrict local network exposure by changing the default LAN IP address to reduce opportunistic discovery by automated scanners. CVE-2026-11405 was discovered and reported to CERT\u002FCC by an anonymous researcher. While no mention of active exploitation exists, the issue is very likely to be targeted by botnets focusing on router flaws in the coming period. BleepingComputer has contacted Tenda for comment, and we will add their response if we receive one. Test every layer before attackers do Security teams log 54% of successful attacks and alert on just 14%. The rest move through your environment unseen.The Picus whitepaper shows how breach and attack simulation tests your SIEM and EDR rules so threats stop slipping by detection. Get the whitepaper Related Articles: Google: Hackers used AI to develop zero-day exploit for web admin toolBeyondTrust warns of critical flaws in remote access softwareMicrosoft Defender 'RoguePlanet' zero-day grants SYSTEM privilegesSimpleHelp bug lets hackers create rogue remote support accountsPalo Alto GlobalProtect VPN auth bypass flaw now exploited in attacks","https:\u002F\u002Fwww.bleepingcomputer.com\u002Fnews\u002Fsecurity\u002Fhidden-backdoor-in-tenda-router-firmware-grants-admin-access\u002F","https:\u002F\u002Fwww.bleepstatic.com\u002Fcontent\u002Fhl-images\u002F2026\u002F07\u002F07\u002Ftenda-router.jpg","2026-07-07T17:27:22+00:00","2026-07-07T18:00:21.70929+00:00",8,[18,21,24,26,28,30],{"name":19,"type":20},"Tenda","vendor",{"name":22,"type":23},"FH1201","product",{"name":25,"type":23},"W15E",{"name":27,"type":23},"AC10",{"name":29,"type":23},"AC5",{"name":31,"type":23},"AC6 V2","80544778-fabb-4dcd-aa35-17492e5dcf4f",{"id":32,"icon":34,"name":35,"slug":36},null,"Vulnerabilities","vulnerabilities",[38,40,45],{"category":39},{"id":32,"icon":34,"name":35,"slug":36},{"category":41},{"id":42,"icon":34,"name":43,"slug":44},"d6f63bb8-0801-486a-be7f-171400700454","IoT\u002FOT","iot-ot",{"category":46},{"id":47,"icon":34,"name":48,"slug":49},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[51],{"type":52,"value":53,"context":54},"cve","CVE-2026-11405","Hidden authentication backdoor in Tenda router firmware"]