Skip to content
Tech News
← Back to articles

Hidden backdoor in Tenda router firmware grants admin access

read original more articles

A hidden authentication backdoor has been found in multiple Tenda router firmware versions, potentially allowing an attacker to gain administrative access to the device's web management panel.

According to a security bulletin from the CERT Coordination Center, the issue remains unfixed because the Chinese maker of the networking equipment couldn't be reached.

CERT/CC says the issue, tracked as CVE-2026-11405, is caused by an undocumented authentication mechanism in the 'login()' function of the '/bin/httpd' web server binary.

If a user attempts to log in, the router firmware will perform standard MD5-based authentication. If that fails, it will retrieve an alternate password from the 'sys.rzadmin.password' configuration value and compare it directly to the plaintext password supplied by the remote user.

If the passwords match, the device grants administrator (role=2) access and creates a valid session, regardless of the username entered.

So any username will be accepted by the mechanism as long as the backdoor password is supplied.

CERT/CC says this mechanism isn't documented anywhere, or mentioned on the administrative interface, leaving users unaware of the risk.

"Successful exploitation grants full administrative access to the device's web interface, regardless of the configured administrator account credentials," describes CERT/CC.

"With administrative control, an attacker can reconfigure the device, alter network settings, and disable security features, enabling broader compromise of the local network."

CVE-2026-11405 impacts the following Tenda firmware versions and devices:

... continue reading