A newly disclosed vulnerability in several Tenda router models contains a hidden authentication backdoor that lets attackers obtain full administrative control without ever supplying valid credentials. The flaw, tracked as CVE-2026-11405, was published by the CERT Coordination Center under Vulnerability Note VU#213560 on July 6, 2026.
Affected Devices
The backdoor affects multiple firmware versions across several Tenda models widely deployed in home and small-business networks, including the FH1201, W15E, AC10, AC5, and AC6 series. These routers typically rely on a web-based management interface secured by standard username-and-password authentication — or so administrators are led to believe. Tenda devices are commonly sold through consumer retail channels and ISP bundles, meaning many affected units are managed by non-technical end users who are unlikely to notice anything unusual even if the backdoor is actively exploited.
How the Backdoor Works
According to the advisory, the flaw lives inside the router’s web server binary, /bin/httpd, specifically within the login() function. That function contains an undocumented authentication path that performs a direct, plaintext strcmp() comparison between the password supplied by a client and a hardcoded value baked into the firmware.
If the comparison succeeds, the system grants administrative privileges by assigning role=2 and creating a valid session — no legitimate credentials required. Critically, the corresponding username is never validated, meaning an attacker can pair the backdoor password with any arbitrary username and still gain full administrative control. This is a textbook example of a firmware backdoor: a hardcoded secret sitting alongside legitimate authentication logic, invisible unless someone reverse-engineers the binary itself.
Why It’s Especially Dangerous
Because this authentication mechanism isn’t documented anywhere and doesn’t surface in the standard admin interface, there’s no user-facing way to detect or disable it. Administrators reviewing their router settings would see nothing out of the ordinary, even while the backdoor remains fully exploitable in the background. Unlike a weak default password, which at least appears somewhere in a configuration screen, this class of flaw exists entirely outside the visible attack surface that a typical audit would check.
Potential Impact
Successful exploitation hands an attacker complete control over the device. With administrative access, an attacker could:
- Modify network configuration and DNS settings
- Redirect or intercept traffic for man-in-the-middle attacks
- Disable security controls such as firewalls
- Push malicious firmware to the device
- Use the compromised router as a foothold for lateral movement into the broader network
- Enroll the device into a botnet for use in larger-scale attacks against other targets
Given how commonly these consumer and SMB-grade routers are deployed — often with remote administration left enabled by default — the exposure window for unpatched devices could be substantial. Internet-wide scanning for exposed management interfaces typically begins within days of a vulnerability like this becoming public, so the practical window to patch before mass exploitation attempts begin is short.
Mitigation
No patched firmware had been confirmed as available at the time of disclosure. Until one is released, researchers recommend:
- Disabling remote/WAN-facing access to the router’s admin interface
- Changing the device’s default local IP address to reduce exposure to automated scans (not a full fix, but raises the bar for opportunistic attackers)
- Monitoring vendor channels closely for firmware updates
- Considering replacement of affected hardware if no fix is issued in a reasonable timeframe
- Segmenting IoT and consumer networking gear away from sensitive internal systems where possible
The discovery adds to a growing list of consumer router backdoors uncovered in recent years, reviving concerns about firmware supply-chain integrity and the auditability of embedded device software. For organizations that rely on consumer-grade networking gear in branch offices or remote work setups, this is another reminder that set-it-and-forget-it hardware can quietly become a serious liability, and that router firmware deserves the same lifecycle management as any other piece of network infrastructure.