Find notable cyber news and cases, enriched with sources, timelines, and signals.

Tenda firmware hidden admin backdoor security flaw (CVE-2026-11405)

Vulnerability
First reported
Last updated
Happening score
H score 33
1 unique sources, 1 articles

Summary

Hide ▲

An undocumented authentication backdoor in Tenda firmware now exposes multiple router builds to full administrative takeover without valid credentials. The flaw is tracked as CVE-2026-11405 and sits in the `/bin/httpd` web server binary's `login()` path, where failed authentication can fall back to a plaintext check against `GetValue("sys.rzadmin.password")`. The issue is unpatched as of writing and can let an attacker change settings, disable security features, or reconfigure the device remotely.

Related Happenings

CERT/CC Tenda router backdoor mitigation

Advisory/Mitigation
H score31 First: 07.07.2026 09:40 Last: 07.07.2026 09:40 Sources 1

How related: In the interim, users are advised to disable remote management on the device and change the default LAN IP address to prevent bad actors from reaching it and reduce opportunistic discovery by automated scanners that target known default IP ranges.

About this happening: **CERT/CC** issued interim mitigation for **Tenda firmware** after disclosure of **CVE-2026-11405**, advising users to **disable remote management** and **change the default LAN I...

Unattributed operators campaign expands across multiple victims

Campaign
H score37 First: 19.11.2025 16:35 Last: 19.11.2025 16:35 Sources 1

About this happening: The **Operation WrtHug** campaign is hijacking **ASUS WRT routers** worldwide by exploiting **six vulnerabilities** and abusing **AiCloud**, creating a large pool of compromised d...

Timeline

  1. 07.07.2026 09:40 2 articles · 2d ago

    CERT/CC warns of hidden admin backdoor in Tenda firmware

    Initial Disclosure

    CERT/CC warns that several Tenda router firmware versions, including US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T, contain an undocumented authentication backdoor in the /bin/httpd login() path tracked as CVE-2026-11405. After normal MD5-based verification fails, the code can fall back to GetValue("sys.rzadmin.password"), compare the supplied password in plaintext, grant role=2, and create an elevated session, allowing full administrative control without valid credentials. The issue remains unpatched as of writing, and users are advised to disable remote management and change the default LAN IP address.

    Show sources