A recently discovered security flaw in Tenda network routers has revealed an authentication backdoor that grants attackers full administrative privileges without needing valid login credentials.
Affected Devices and Firmware
The vulnerability impacts several Tenda router models, including FH1201, W15E, AC10, AC5, and AC6, affecting multiple firmware versions. This issue has been cataloged as CVE-2026-11405 and was publicly disclosed by the CERT Coordination Center on July 6, 2026, under Vulnerability Note VU#213560.
These models are predominantly used in residential and small business settings, relying on web-based management interfaces that typically require a username and password for access.
Details of the Security Flaw
The flaw resides within the web server binary located at /bin/httpd, specifically in the login function. This function includes an undocumented backdoor authentication mechanism. Normally, user credentials are verified using an MD5-based password check. However, if this verification fails, the function uses a fallback process, revealing a hidden backdoor.
This backdoor leverages a secondary password stored in the device configuration, accessed via the GetValue(“sys.rzadmin.password”) function. Instead of using secure hashing or comparison methods, a plaintext strcmp() comparison is employed, which can grant administrative access if it matches.
Implications and Mitigation Strategies
Critically, this fallback process does not validate the username, allowing attackers to use any arbitrary username with the backdoor password to gain control. The backdoor’s undocumented nature makes it undetectable through standard interfaces, increasing its danger.
Exploiting this backdoor allows attackers to fully compromise affected devices, modify network settings, redirect traffic, disable security measures, or install malicious firmware. This level of access can lead to broader attacks, such as man-in-the-middle interceptions and lateral network movements.
Currently, no official patch or firmware update is available from Tenda, and vendor coordination attempts have been unsuccessful. Users should immediately disable remote web management functionalities to limit exposure and change default local IP addresses to thwart automated scans, though determined attackers may still succeed.
Security Concerns and Recommendations
This discovery raises significant concerns regarding firmware security practices and the reliability of the supply chain. Users and organizations utilizing these Tenda devices should vigilantly monitor for updates and consider replacing vulnerable hardware if no resolution is provided.
Strengthening network defenses and continuously monitoring for unusual activity remains crucial until a permanent fix is issued.
