CERT/CC warns Tenda router firmware has an undocumented admin backdoor
CERT/CC says five firmware builds accept any username if a hidden alternate password matches a device configuration value.
By Ryan Merket · Published
Why it matters
The danger is the hidden fallback path: strong admin credentials do not protect affected Tenda routers if the alternate password mechanism is reachable.

Tenda router firmware used in several Wi-Fi routers contains a hidden authentication backdoor that can grant administrator access to the device web management panel, according to a July 6th vulnerability note from CERT/CC and July 7th reporting from BleepingComputer.
The vulnerability is tracked as CVE-2026-11405. CERT/CC says the bug affects five Tenda firmware versions tied to the FH1201, W15E, AC10, AC5 and AC6 V2 routers. As of CERT/CC's July 6th advisory, no patch was available. CERT/CC's vendor table lists Tenda's status as "Unknown," says Tenda was notified on May 19th, and states that CERT/CC had not received a vendor statement.
The backdoor sits in the login() function of the /bin/httpd web server binary, according to CERT/CC and NVD. The login flow first follows the expected password check using MD5 or hash-based verification. If that check fails, the firmware calls GetValue("sys.rzadmin.password"), reads an alternate password value from device configuration, and compares it directly against the password supplied by the user. A match creates a valid session with role=2, which CERT/CC describes as admin-level access.
The key detail is the missing username check. CERT/CC says the associated username is never validated, which means any username can work when paired with the alternate password. The mechanism is undocumented and does not appear in the administrative interface, leaving owners without a visible way to know the secondary login path exists.
That makes the advisory more serious than a routine weak-password finding. The configured administrator credentials are not the deciding factor once the hidden path is reached. CERT/CC says exploitation gives full administrative access to the web interface, allowing an attacker to change network settings, reconfigure the router and disable security features. For a router, that control can become a foothold into the local network rather than a problem limited to the device itself.
The affected firmware builds listed by CERT/CC are:
US_FH1201V1.0BR_V1.2.0.14(408)_EN_TDfor the Tenda FH1201 Wi-Fi routerUS_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDEfor the Tenda W15E Wi-Fi routerUS_AC10V1.0re_V15.03.06.46_multi_TDE01for the Tenda AC10 Wi-Fi routerUS_AC5V1.0RTL_V15.03.06.48_multi_TDE01for the Tenda AC5 Wi-Fi routerUS_AC6V2.0RTL_V15.03.06.51_multi_Tfor the Tenda AC6 V2 Wi-Fi router
NVD had not assigned a CVSS score as of its entry viewed after publication, and NVD marked the CVE as "Not Scheduled" for enrichment. That leaves defenders with CERT/CC's technical description, the affected-version list and mitigations rather than a vendor patch or severity score.
CERT/CC's recommended defense is to disable remote web management if the device supports it, which blocks attackers on external networks from reaching the administrative dashboard over the internet. CERT/CC also recommends reducing local exposure by changing the default LAN IP address, while warning that this step only reduces opportunistic discovery by automated scanners and does not stop targeted scanning.
Tenda's own Download Center remains the logical place for owners to check firmware availability, but CERT/CC's advisory is the source of record for the affected builds and the current lack of a coordinated fix. Tenda sells home and business networking equipment, including routers, switches, wireless access points and video surveillance devices, according to CERT/CC's description.
BleepingComputer reported that the issue was discovered by an anonymous researcher and that there was no public mention of active exploitation at the time of its July 7th story. Router vulnerabilities often attract automated scanning once details become public because edge devices sit between the internet and local networks, remain online for long periods, and are often patched slower than laptops or servers. In this case, the practical exposure turns on one operational fact: whether the vulnerable web management interface is reachable from the internet or from untrusted devices on the local network.