ProBackend
ai vulnerability disclosures
4 hours ago4 min read

The Tenda Backdoor Nobody Knew Existed — And Why It Matters

A hidden authentication backdoor in Tenda router firmware (CVE-2026-11405) grants admin access to anyone who knows the secret password. No patch exists. Here's what you need to know before attackers find it first.

The Tenda Backdoor Nobody Knew Existed — And Why It Matters

Here's a thought that should keep you up at night: your router has a secret door. Not the kind you lock. The kind someone else built, documented nowhere, and left wide open.

That's exactly what CERT/CC uncovered this week. CVE-2026-11405 isn't a theoretical vulnerability you'd find in a lab. It's a hardcoded backdoor buried inside the login() function of Tenda's /bin/httpd binary — and it works whether you know it's there or not.

I've spent years tracking state-sponsored intrusions and corporate espionage cases. What makes this one particularly nasty isn't just the technical flaw. It's the silence around it. Tenda, the Chinese networking equipment maker, couldn't be reached by CERT/CC when they tried to report this. No patch. No acknowledgment. Just silence.

That tells you everything you need to know about the threat landscape for consumer-grade networking gear. You're not just buying a router. You're installing an unmonitored access point into your network.

How the Backdoor Actually Works

Let me walk you through what happens when someone tries to log into your Tenda router's web management panel.

First, the firmware attempts standard MD5-based authentication. That's normal. That's what you'd expect. If the credentials match, great — you're in.

But here's where it gets ugly. If that standard auth fails, the system doesn't just reject you. It reaches for a backup password stored in sys.rzadmin.password and compares it directly to whatever plaintext password the remote user supplied.

Match? You're in. As administrator. Role=2 access. Full control.

And the username? Doesn't matter. Any username works. Type in admin. Type in guest. Type in test123. As long as you know the backdoor password, you're the boss.

CERT/CC puts it bluntly: "Successful exploitation grants full administrative access to the device's web interface, regardless of the configured administrator account credentials."

Translation: your actual admin password is irrelevant. The backdoor bypasses it entirely.

Why This Is Worse Than You Think

I keep coming back to the silence. Tenda couldn't be reached. That's not just bad customer service — it's a red flag that suggests either the company is defunct, understaffed, or something else entirely.

When a vendor goes dark on a critical vulnerability, you have to assume the worst. Attackers don't need your permission to scan for this. They don't need a responsible disclosure window. They just need to know the backdoor exists.

And they will know. Botnets that target router flaws are already out there, automating the discovery of exactly this kind of vulnerability. The question isn't if this gets exploited — it's when.

Once an attacker has admin access, the possibilities are endless. They can reconfigure your network settings. Disable security features. Pivot laterally into devices on your local network. Enlist your router in a botnet.

For home users, that means your smart devices, your NAS, maybe even your work laptop if you're running from home. For small businesses? That's your entire network perimeter, gone in seconds.

The Affected Devices

CERT/CC has identified five specific Tenda models running vulnerable firmware:

  • Tenda FH1201 (US_FH1201V1.0BR_V1.2.0.14)
  • Tenda W15E (US_W15EV1.0br_V15.11.0.5)
  • Tenda AC10 (US_AC10V1.0re_V15.03.06.46)
  • Tenda AC5 (US_AC5V1.0RTL_V15.03.06.48)
  • Tenda AC6 V2 (US_AC6V2.0RTL_V15.03.06.51)

If you're running any of these, you're exposed. Right now.

For deeper technical analysis of router firmware vulnerabilities and how they are exploited in the wild, see our guide to router security best practices.

What You Can Do About It

Here's the bad news: there's no patch. Not yet. Maybe not ever, given Tenda's silence.

But you're not helpless. CERT/CC has two recommendations that actually make sense:

Disable remote web management. This is the big one. If you can't access your router's admin panel from the internet, attackers can't either. Do this immediately.

Change your default LAN IP address. Tenda routers probably ship with a standard IP that automated scanners know to look for. Change it. Make yourself harder to find.

These aren't perfect solutions. They're damage control. But in the absence of a vendor response, they're your best option.

The Bigger Picture

I've seen this pattern before. Vendor goes dark. Vulnerability sits unpatched. Attackers find it. Damage happens.

What bothers me most is how predictable this all is. Consumer-grade networking equipment has always been a weak link. People buy the cheapest router they can find, plug it in, and forget about it. Meanwhile, they're running software from a company that may not even be monitoring their security communications.

This isn't just a Tenda problem. It's a symptom of how we treat infrastructure. We buy it, install it, and assume it'll be maintained. That assumption is exactly what attackers exploit.

The anonymous researcher who discovered CVE-2026-11405 did the right thing by reporting it to CERT/CC. But reporting isn't enough when the vendor doesn't respond. The onus now falls on users to protect themselves.

Disable that remote access. Change that IP address. And maybe, just maybe, consider whether that $30 router is really worth the risk.


This article covers CVE-2026-11405 as reported by CERT/CC and documented by BleepingComputer. No active exploitation has been confirmed, but the vulnerability is expected to be targeted by automated botnets in the near term.

The Tenda Backdoor Nobody Knew Existed — And Why It Matters

More blogs