Tenda router firmware has hidden authentication backdoor (CVE-2026-11405)
Original: Tenda firmware (multiple versions) contains hidden authentication backdoor
Why This Matters
Unpatched backdoors in widely-deployed consumer routers pose systemic risks to home and SMB network security.
CERT/CC disclosed on July 6, 2026 that multiple Tenda firmware versions contain an undocumented backdoor (CVE-2026-11405) in the /bin/httpd login() function, allowing attackers to gain full admin access without valid credentials. No patch is available; vendor has not responded.
CERT/CC published Vulnerability Note VU#213560 on July 6, 2026, disclosing a hidden authentication backdoor in multiple Tenda router firmware versions, tracked as CVE-2026-11405. Affected firmware includes US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5, US_AC10V1.0re_V15.03.06.46, US_AC5V1.0RTL_V15.03.06.48, and US_AC6V2.0RTL_V15.03.06.51. The vulnerability resides in the login() function within the /bin/httpd web server binary. After normal MD5-based authentication fails, the function silently calls GetValue("sys.rzadmin.password") to retrieve an alternate password from device configuration, then performs a plaintext strcmp() comparison. A match grants role=2 admin-level access and creates a valid session. Crucially, the username field is not validated — any username paired with the backdoor password succeeds. This mechanism is completely undocumented and invisible in any administrative interface. Successful exploitation allows an attacker to reconfigure the device, alter network settings, and disable security features. CERT/CC notified Tenda on May 19, 2026, but received no response, and no patch exists. Recommended mitigations include disabling remote management and changing the default LAN IP address to reduce opportunistic scanning exposure.