Several Tenda firmware versions have a hidden backdoor that lets people gain admin access to the device’s web interface. An attacker can use this flaw, known as CVE-2026-11405, to skip the password check and take full control without proper login details, the CERT Coordination Center (CERT/CC) reported on Monday.
“An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process and obtain full administrative control without valid credentials,” the CERT/CC said in an alert.
The vulnerability impacts multiple versions of the firmware:
US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
US_AC10V1.0re_V15.03.06.46_multi_TDE01
US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
US_AC6V2.0RTL_V15.03.06.51_multi_T
The backdoor feature is found in the “login()” function of the “/bin/httpd” web server. It first checks passwords normally with MD5. If the password check fails, it uses a different code path.
Calling “GetValue(“sys.rzadmin.password”)” retrieves a different password value from the device settings. Then, it checks if the password given by the user matches the stored one. If they match, the app gives access to admin-level (role=2) and starts a session with higher privileges.
“The associated [“rzadmin”] username is not validated, so any provided username will succeed when paired with the backdoor password,” the CERT/CC said. “This backdoor authentication mechanism is not documented or visible through any administrative interface.”
Successful use of this username check flaw gives full admin access to the device’s web interface, no matter what the admin credentials are. This could let an attacker change settings from afar, turn off security features, or change the device setup, which might result in taking over the whole device.
The issue, pointed out by a nameless researcher, is not patched yet.
Users should turn off remote management on the device and change the default LAN IP address. This will help stop bad actors from getting in and lower the chances of automated scanners finding it by targeting usual default IP ranges.
InfoSecBulletin Cybersecurity for mankind
