
A security researcher has uncovered an undocumented backdoor in the firmware of multiple Tenda networking devices that grants attackers full administrative access without needing a password according to SecurityWeek. The issue resides in the login handling code where a specific username string is accepted regardless of the password field. This allows anyone who knows the hidden credential to log in as an administrator and take complete control of the device. The affected hardware spans several consumer and small‑business router models that are commonly deployed in home offices.
The vulnerability is catalogued as CVE-2026-11405 and results from insufficient validation of the username parameter during authentication. When the router receives a login request containing the backdoor username, it skips the password check and opens a privileged session. Exploitation requires only a single HTTP request to the web management interface, making it trivial for an attacker on the same network or, if remote management is enabled, from the internet. No complex tools or custom malware are needed to leverage the flaw.
Affected product lines include the FH1201, W15E, AC10, AC5 and AC6 routers, though the advisory notes that other firmware builds may also contain the same hidden credential as highlighted by Security Affairs. Once inside, an attacker can modify DHCP settings, alter firewall rules, upload malicious firmware or disable remote‑access logging to cover their tracks. The ability to manipulate DNS forwarding presents a path for man‑in‑the‑middle attacks on downstream devices. Because the backdoor exists in the firmware image itself, simply rebooting the device does not remove the risk.
CERT/CC has issued a warning that no patch is currently available from Tenda