Critical Tenda Vulnerability Allows Remote Admin Access
Key Takeaways A critical authentication bypass vulnerability (CVE-2026-11405) has been uncovered in Tenda network devices. The flaw allows unauthorized attackers to achieve full administrative access...
Key Takeaways
- A critical authentication bypass vulnerability (CVE-2026-11405) has been uncovered in Tenda network devices.
- The flaw allows unauthorized attackers to achieve full administrative access to affected routers without valid credentials.
- Multiple Tenda router models, including FH1201, W15E, AC10, AC5, and AC6 series, are impacted across various firmware versions.
- No official patch is currently available from Tenda, and users are advised to implement immediate mitigation strategies.
Critical Tenda Vulnerability Allows Remote Admin Access
A significant security flaw has been identified in Tenda network devices, creating a critical authentication backdoor that grants unauthenticated attackers complete administrative control. This vulnerability circumvents standard security protocols, allowing unauthorized access to router management interfaces.
Table Of Content
The issue impacts a range of Tenda router models widely deployed in both consumer and small business environments. Specifically, the FH1201, W15E, AC10, AC5, and AC6 series are affected across several firmware versions. These devices typically rely on web-based interfaces for configuration and management, which are intended to be secured by username and password credentials.
Designated as CVE-2026-11405, this vulnerability was formally documented and published by the CERT Coordination Center on July 6, 2026, under Vulnerability Note VU#213560.
Undocumented Backdoor in Web Server Binary
According to the advisory, the root cause of the vulnerability lies within the /bin/httpd web server binary of the affected Tenda devices. A specific function, login(), contains an undocumented authentication mechanism that deviates from the standard credential verification process.
Normally, the login() function validates user credentials through an MD5-based password verification. However, if this initial authentication attempt fails, the system executes an alternative code path that triggers a hidden backdoor. This backdoor retrieves a secondary password value from the device’s configuration using the GetValue("sys.rzadmin.password") function.
Crucially, instead of applying secure hashing or comparison methods, the system performs a direct, plaintext string comparison (strcmp()) between the attacker-supplied password and the stored backdoor value. If this comparison is successful, the system bypasses standard authentication, assigns the user an administrative role (role=2), and establishes a valid session.
A critical aspect of this flaw is that the username is not validated during this fallback authentication process. This means an attacker can provide any arbitrary username in conjunction with the correct backdoor password to gain full administrative privileges over the device. The existence of this mechanism is completely undocumented and cannot be identified or managed through the device’s standard administrative interface, making it particularly insidious.
Impact of Exploitation and Lack of Patch
Successful exploitation of this vulnerability grants attackers complete control over the compromised Tenda router. With administrative access, malicious actors can perform a wide array of damaging actions, including altering network configurations, redirecting internet traffic, disabling security features, or installing malicious firmware. Such control could facilitate broader attacks, such as man-in-the-middle interceptions, establishing persistent access within the network, and moving laterally to other connected systems.
As of the disclosure date, Tenda has not released an official patch or firmware update to address this critical vulnerability. Attempts to coordinate with the vendor regarding this issue have reportedly been unsuccessful, leaving affected users exposed.
What You Should Do
Given the absence of an official patch, users of Tenda FH1201, W15E, AC10, AC5, and AC6 series routers must take immediate mitigation steps to reduce their exposure:
- Disable Remote Web Management: Turn off any remote web management features on your Tenda router to prevent external access to its administrative interface. This is the most critical step to prevent external attackers from exploiting the vulnerability.
- Isolate Affected Devices: If possible, place affected devices on a segregated network segment to limit their exposure to internal and external threats.
- Monitor for Updates: Regularly check Tenda’s official website and security advisories for any future firmware updates or patches that may address this vulnerability.
- Consider Replacement: If a patch remains unavailable, evaluate replacing vulnerable Tenda hardware with devices from vendors that have a stronger track record of timely security updates.
- Change Default IP Address (Limited Effect): While not a definitive solution, changing the default local IP address of the router may slightly reduce the risk of automated scanning attacks targeting known IP ranges, but it will not deter a determined attacker.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.



No Comment! Be the first one.