CERT/CC has published an advisory warning that several Tenda router models contain a hardcoded authentication backdoor that grants full administrative access to anyone who knows a hidden password. The vulnerability, tracked as CVE-2026-11405, affects firmware versions for the FH1201, W15E, AC10, AC5, and AC6 product lines. An anonymous researcher discovered the flaw, which Tenda has not acknowledged or patched despite notification.
The backdoor exists within the login() function of the web server binary located at /bin/httpd. When a user attempts to authenticate, the system first checks the legitimate credentials using standard MD5-based password hashing. However, if that authentication fails, the code does not simply reject the login attempt. Instead, it retrieves an alternate password value stored in the device configuration under sys.rzadmin.password and performs a plaintext comparison using strcmp(). If the user-supplied password matches this hidden value, the system grants role=2 admin-level access and creates a valid session, completely ignoring the username field.
This backdoor password is embedded in the firmware binary itself, not in any user-accessible configuration file. The hidden credential appears to have been intentionally placed by Tenda during manufacturing, as it ships with every affected device. No setting in the management interface can disable this authentication path because it operates entirely outside the documented security controls. The backdoor cannot be removed through any owner-side configuration change.
Successful exploitation gives attackers complete control over the router's web management interface. With administrative access, an attacker can modify DNS settings to redirect traffic, disable security features, reconfigure network parameters, or use the compromised device as an entry point to attack other systems on the local network. CERT/CC characterizes this as enabling complete device takeover and broader network compromise.
CERT/CC recommends immediately disabling remote management on affected devices to prevent internet-based attacks. Users should also consider changing the default LAN IP address to make the device harder for automated scanners to locate, though this does not prevent targeted attacks. Because the backdoor is hardcoded in firmware and Tenda has not provided any timeline for a fix, organizations should evaluate whether these devices should remain in production networks. Until Tenda releases updated firmware that removes the backdoor code entirely, the only effective mitigation is ensuring the device cannot be reached from untrusted networks.
Source: https://securityaffairs.com/194878/security/hidden-tenda-router-backdoor-grants-admin-access-no-patch-available.html


