If you own a Tenda router, listen up. CERT/CC has found an undocumented backdoor hiding in multiple versions of Tenda’s firmware. And yes, it gives attackers full admin access without needing a password.
The vulnerability is tracked as CVE-2026-11405. It lives in the “/bin/httpd” web server binary, inside the login function. The login process starts by checking passwords normally using MD5 hashing. But if that fails, it switches to a backup path: it pulls an alternate password from the device config and compares it to whatever the user typed in — in plaintext. If they match, you’re in as admin (role=2).
The username doesn’t even get validated. CERT/CC says any username works as long as you have the backdoor password. That’s not documented anywhere. You won’t see it in any admin interface.
Affected firmware versions include US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T.
An attacker who exploits this can remotely change settings, disable security features, or reconfigure the device entirely. We’re talking full device takeover.
As of now, there’s no patch. The vulnerability was reported anonymously and Tenda hasn’t commented yet.
What can you do? Disable remote management on the device. Change the default LAN IP address too. That makes it harder for automated scanners that sweep known default IP ranges to find you.
