Tenda Router CVE-2026-11405 Backdoor Allows Admin Control
Tenda, a Chinese network device manufacturer, has critical firmware versions containing CVE-2026-11405, an undocumented authentication backdoor. This vulnerability allows an unauthenticated attacker to bypass the normal password verification process and gain full administrative control over affected devices' web management interfaces. The CERT Coordination Center (CERT/CC) issued a warning regarding this flaw.
The flaw is located in the login() function of the /bin/httpd web server binary. An alternate, hidden code path can be triggered if standard authentication fails. This grants admin-level access without requiring valid credentials. A specific CVSS score has not been publicly assigned as of the CERT/CC alert. However, the ability to achieve full administrative control means it has high severity.
As of the latest reports, CVE-2026-11405 remains unpatched; numerous Tenda router models are exposed. This backdoor creates a significant risk, allowing device takeover and unauthorized configuration changes. Users of affected devices are advised to implement mitigation strategies to reduce exposure to this critical vulnerability.
What is CVE-2026-11405 and why is it critical?
CVE-2026-11405 is an undocumented authentication backdoor in the firmware of several Tenda router models. This vulnerability is critical because it allows an unauthenticated attacker to gain full administrative access to the device's web management interface. The backdoor operates by introducing an alternative, unvalidated authentication path in the login process.
Upon successful exploitation, an attacker can bypass all standard security controls designed to protect the router's administrative functions. This allows for unauthorized modification of system settings, disabling of security features, and complete reconfiguration of the device. Full device takeover without any valid credentials is a major risk to the integrity, confidentiality, and availability of networks relying on these routers. Its criticality is made worse by its hidden nature, which makes it undetectable through normal administrative interfaces.
Impact
The impact of CVE-2026-11405 is complete administrative compromise of affected Tenda routers. An attacker who successfully exploits this backdoor can gain unfettered access to the device, effectively controlling all its functions and network traffic. This includes the ability to alter DNS settings, modify firewall rules, redirect network traffic, establish VPN connections, and potentially eavesdrop on or manipulate data flowing through the router. The undisclosed nature of the backdoor means that legitimate administrators would not be aware of its existence or the alternative authentication mechanism.
Organizations and individuals using the affected Tenda router firmware versions are at direct risk. An attacker with administrative control can integrate the compromised device into botnets, use it as an entry point for further network penetration, or establish persistent access. For home users, this could lead to sensitive data exposure, malicious redirects to phishing sites, or the device being used in denial-of-service attacks. For enterprises, a compromised router could breach network segmentation, facilitate data exfiltration, or disrupt critical operations. This type of firmware-level vulnerability, especially one that grants unauthenticated administrative access, severely degrades security. For context on similar vulnerabilities, our prior analysis of firmware flaws in TOTOLINK and D-Link routers details comparable risks where deep device control can be achieved by malicious actors.
How does the CVE-2026-11405 exploitation chain function?
The exploitation of CVE-2026-11405 begins with an attacker attempting to access the Tenda router's web management interface. The attack vector is the standard HTTP/HTTPS service that hosts the administrative portal. While initial access might require the web interface to be exposed (either locally on the LAN or remotely if remote management is enabled), the actual exploitation does not need valid user credentials. The backdoor uses a specific, undocumented code path within the router's firmware.
The technical mechanics of the backdoor are focused on the login() function within the /bin/httpd web server binary. Normally, this function processes user-supplied credentials through an MD5-based password verification. However, CVE-2026-11405 introduces an alternate flow. If the initial MD5 authentication fails, the system does not immediately deny access. Instead, it proceeds to invoke GetValue("sys.rzadmin.password") to retrieve a pre-defined, alternate password directly from the device's configuration. This configuration-stored value is then compared directly in plaintext against the password submitted by the user.
If the attacker provides the specific, hardcoded or statically configurable backdoor password, this plaintext comparison will succeed. Critically, the associated username (rzadmin) is not validated in this alternate path; any username supplied will be accepted as long as it is paired with the correct backdoor password. Upon a successful match, the application grants an administrator-level role (role=2) and establishes a fully privileged session. This process occurs without any indication to a legitimate administrator that an undocumented authentication mechanism has been used. The CERT/CC specifically noted that this backdoor is not visible or configurable through any standard administrative interface, signifying its stealthy and intentional nature. This behavior is similar to other critical firmware vulnerabilities that enable remote takeover, as explored in our write-up on a TOTOLINK firmware vulnerability.
Which Tenda products are affected by CVE-2026-11405?
The CVE-2026-11405 backdoor affects multiple versions of firmware released for various Tenda router models. These specific firmware builds contain the vulnerable login() function with the included authentication bypass. Users and network administrators must identify if their devices are running any of the affected versions.
The identified affected firmware versions are:
- US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
- US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
- US_AC10V1.0re_V15.03.06.46_multi_TDE01
- US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
- US_AC6V2.0RTL_V15.03.06.51_multi_T
Users should verify the exact firmware version installed on their Tenda devices against this list. The presence of any of these firmware versions indicates exposure to CVE-2026-11405, allowing unauthenticated administrative control. The widespread nature of firmware flaws across various router brands shows why device-specific vulnerability advisories are important, as seen in our coverage of an InHand router command injection vulnerability (CVE-2026-XXXX).
What are the detection opportunities for CVE-2026-11405?
Detecting exploitation of CVE-2026-11405 can be challenging due to the backdoor's undocumented nature and the fact that it bypasses standard authentication logging mechanisms. However, security teams and network administrators can look for several indicators. Since the backdoor grants full administrative access, subsequent attacker actions will likely generate detectable activity within the network or on the device itself.
Network-Level Indicators:
- Unusual Inbound Connection Attempts: Monitor for repeated or abnormal connection attempts to the router's web management interface (typically on ports 80 or 443) from external IP addresses, especially if remote management is usually disabled.
- Traffic Anomalies: Look for unexpected outbound connections initiated by the router that deviate from its normal operational profile. This could include connections to unknown external IPs, unusual protocols, or excessive data transfer volumes.
- Unexpected DNS Queries: If an attacker alters the router's DNS settings, observed DNS queries originating from internal devices might resolve to malicious or unexpected domains. Monitoring for changes in upstream DNS servers configured on the router is also critical.
- Port Scans: Increased port scanning activity originating from the router towards internal network segments could indicate an attacker pivoting to internal reconnaissance.
Device-Level Indicators (Configuration and Behavior):
- Unauthorized Configuration Changes: The most direct evidence of compromise would be any unapproved modifications to router settings. This includes changes to Wi-Fi passwords, firewall rules, port forwarding configurations, DHCP settings, or default LAN IP addresses. While the backdoor itself might not log, the actions taken after gaining administrative access often leave traces.
- Credential Changes: If administrative credentials for the router itself are unexpectedly modified, this signals compromise, as an attacker would likely want to lock out legitimate users.
- Unexpected Service Activity: The presence of new, unfamiliar, or unauthorized services running on the router, or unusual process activity within the
/bin/httpdcontext, could be a sign of post-exploitation actions. - Anomalous Login Patterns: While the backdoor might not log itself, successful logins followed by rapid, extensive configuration changes or failed authentication attempts from legitimate users immediately after successful backdoor access could be suspicious. Security teams should correlate failed login attempts with subsequent activity.
General Security Practices:
- Regular Configuration Backups: Maintain regular, verified backups of router configurations. This allows for comparison with current configurations to detect unauthorized changes.
- Network Segmentation: Implement strong network segmentation to limit the lateral movement potential of an attacker who has compromised the router.
- Traffic Monitoring: Deploy network intrusion detection systems (NIDS) or firewalls capable of deep packet inspection to monitor traffic patterns for anomalies and suspicious payloads originating from or destined for the router.
What remediation measures are available for CVE-2026-11405?
As of the current reporting, CVE-2026-11405 remains unpatched by Tenda. This means there is no official firmware update available that directly removes the backdoor. Therefore, remediation efforts must focus on mitigating the exposure and reducing the attack surface. Users of affected Tenda routers should prioritize the following actions:
1. Patching (Currently Unavailable):
- Monitor Tenda's official support channels and the CERT/CC advisory for any future firmware releases that address CVE-2026-11405. Immediately apply any validated security patches once they become available. Given the severity, a patch is the most effective long-term solution.
2. Workarounds and Mitigations (Immediate Action Required):
- Disable Remote Management: The most critical immediate step is to disable remote management access to the router's web interface. This prevents external attackers from reaching the vulnerable
login()function. This setting is usually found within the router's administration panel under "Security" or "Remote Management" options. This restricts the attack vector to local network access only. - Change Default LAN IP Address: Modify the router's default LAN IP address (e.g., from
192.168.0.1or192.168.1.1to a less common range). This action helps prevent opportunistic discovery by automated scanners that target known default IP ranges. While not preventing a targeted attack, it raises the bar for mass exploitation attempts. - Isolate Network Segment: For critical environments, consider placing affected Tenda routers on a highly restricted network segment, separate from sensitive internal resources. This limits potential lateral movement if the device is compromised.
- Implement Strong Network Access Controls: Ensure that only trusted devices and users can access the router's administrative interface from within the local network. Utilize MAC address filtering or static IP assignments where feasible to restrict access.
- Review and Restrict Port Forwarding: Audit all port forwarding rules configured on the router. Remove any unnecessary port forwards, especially those that expose internal services to the internet, as these could provide alternative entry points for attackers once the router itself is controlled.
3. Monitoring (Ongoing):
- Monitor for Unauthorized Configuration Changes: Regularly review the router's configuration settings to detect any unauthorized modifications. Maintain backups of known-good configurations for comparison.
- Network Traffic Analysis: Continuously monitor network traffic originating from and destined for the router for any suspicious patterns or anomalies that could indicate compromise. This includes unexpected outbound connections or unusual traffic volumes.
- Device Replacement: If the risk profile or operational requirements cannot tolerate an unpatched, high-severity vulnerability, consider replacing the affected Tenda router with a device from a vendor that has a demonstrated track record of timely security updates and transparent vulnerability disclosure.
Until a definitive patch is released, these mitigation strategies are essential for reducing the attack surface and potential impact of CVE-2026-11405. Proactive security posture is necessary in the absence of vendor-supplied fixes for critical vulnerabilities.
Technical Takeaways
- CVE-2026-11405 is an undocumented authentication backdoor present in the firmware of several Tenda router models.
- The vulnerability bypasses standard MD5-based password verification by activating an alternate code path in the
/bin/httpdweb server binary'slogin()function. - An attacker can gain full administrative control by supplying a specific backdoor password, which is then directly compared in plaintext against a value fetched from
sys.rzadmin.password. - The backdoor does not validate the username, allowing any provided username to succeed when paired with the correct backdoor password.
- This critical flaw remains unpatched as of the CERT/CC advisory, leaving affected devices vulnerable to complete device takeover.
- Primary mitigations include disabling remote management and changing the router's default LAN IP address to reduce external exposure and opportunistic scanning.