Tenda firmware hidden admin backdoor security flaw (CVE-2026-11405)
Vulnerability
Summary
Hide ▲
Show ▼
An undocumented authentication backdoor in Tenda firmware now exposes multiple router builds to full administrative takeover without valid credentials. The flaw is tracked as CVE-2026-11405 and sits in the `/bin/httpd` web server binary's `login()` path, where failed authentication can fall back to a plaintext check against `GetValue("sys.rzadmin.password")`. The issue is unpatched as of writing and can let an attacker change settings, disable security features, or reconfigure the device remotely.
Related Happenings
CERT/CC Tenda router backdoor mitigation
Advisory/Mitigation
H score31
First: 07.07.2026 09:40
Last: 07.07.2026 09:40
Sources 1
How related:
In the interim, users are advised to disable remote management on the device and change the default LAN IP address to prevent bad actors from reaching it and reduce opportunistic discovery by automated scanners that target known default IP ranges.
About this happening:
**CERT/CC** issued interim mitigation for **Tenda firmware** after disclosure of **CVE-2026-11405**, advising users to **disable remote management** and **change the default LAN I...
CERT/CC Tenda router backdoor mitigation
Advisory/MitigationHow related: In the interim, users are advised to disable remote management on the device and change the default LAN IP address to prevent bad actors from reaching it and reduce opportunistic discovery by automated scanners that target known default IP ranges.
About this happening: **CERT/CC** issued interim mitigation for **Tenda firmware** after disclosure of **CVE-2026-11405**, advising users to **disable remote management** and **change the default LAN I...
Unattributed operators campaign expands across multiple victims
Campaign
H score37
First: 19.11.2025 16:35
Last: 19.11.2025 16:35
Sources 1
About this happening:
The **Operation WrtHug** campaign is hijacking **ASUS WRT routers** worldwide by exploiting **six vulnerabilities** and abusing **AiCloud**, creating a large pool of compromised d...
Unattributed operators campaign expands across multiple victims
CampaignAbout this happening: The **Operation WrtHug** campaign is hijacking **ASUS WRT routers** worldwide by exploiting **six vulnerabilities** and abusing **AiCloud**, creating a large pool of compromised d...
Timeline
-
07.07.2026 09:40 2 articles · 2d ago
CERT/CC warns of hidden admin backdoor in Tenda firmware
Initial DisclosureCERT/CC warns that several Tenda router firmware versions, including US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T, contain an undocumented authentication backdoor in the /bin/httpd login() path tracked as CVE-2026-11405. After normal MD5-based verification fails, the code can fall back to GetValue("sys.rzadmin.password"), compare the supplied password in plaintext, grant role=2, and create an elevated session, allowing full administrative control without valid credentials. The issue remains unpatched as of writing, and users are advised to disable remote management and change the default LAN IP address.
Show sources
- CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware — thehackernews.com — 07.07.2026 09:40
- CERT/CC Warns of Hidden Admin Backdoor in Tenda Router Firmware — thehackernews.com — 07.07.2026 09:40