
A newly disclosed backdoor in several Tenda router models lets attackers bypass authentication and obtain full administrative control over the device’s web interface, despite the vendor having released no fix. The vulnerability, tracked as CVE-2026-11405, was highlighted in a CERT/CC advisory after researchers discovered a hard‑coded credential embedded in the firmware.
The flaw resides in the authentication routine of the routers’ web management interface, where a secret username and password pair are accepted regardless of the administrator’s configured credentials. Affected firmware versions include those shipping with the FH1201, W15E, AC10, AC5 and AC6 models, as noted in a SecurityAffairs report. When an attacker supplies the hidden credentials, the router grants unrestricted privileges, allowing changes to firewall rules, port forwarding and DNS settings. No cryptographic protection or challenge‑response mechanism guards this backdoor.
Exploitation does not require any sophisticated tools; an attacker who can reach the router’s management page can simply submit the hidden login pair in a standard HTTP POST request. If remote web administration is enabled, the flaw can be abused from the internet; otherwise, an intruder must already be on the local network, perhaps via a compromised client or a rogue access point. Although no public proof‑of‑concept exploit has been released, the simplicity of the request means that weaponisation would be trivial for anyone with basic networking knowledge, a point echoed in The Hacker News coverage.
CERT/CC has not observed any active exploitation of CVE-2026-11405 in the wild, and no threat actor has been publicly linked to the flaw at this time. Nevertheless, the advisory warns that the presence of a static backdoor makes these devices attractive targets for botnet operators and malware campaigns that seek to hijack home and small office networks. The lack of a patch from Tenda leaves a window of opportunity that attackers could readily abuse, as discussed in a SecurityOnline analysis.
The discovery fits a broader pattern of hard‑coded credentials appearing in consumer networking gear, a trend that has repeatedly undermined the perceived security of home routers. Security researchers note that such flaws often survive firmware updates because they are baked into the vendor’s reference code, making timely mitigation dependent on the vendor’s release schedule. In this case, Tenda has not provided a timeline for a fix, highlighting the reliance on temporary defensive measures.
Network administrators should immediately disable remote web management on any affected Tenda device and restrict access to the router’s administration page to trusted LAN addresses only. Changing the default LAN IP address to a non‑standard subnet adds another layer of obscurity, though it does not remove the backdoor itself. Where possible, administrators should consider placing the router behind a dedicated firewall or using VLANs to isolate IoT devices from critical workstations. Monitoring logs for unexpected login attempts, especially those using unknown usernames, can help detect an attempted compromise.
Given the absence of a patch, the most reliable long‑term mitigation is to replace the affected routers with models from vendors that maintain a transparent patching process or to flash third‑party firmware that does not contain the hidden credential. In the interim, maintaining strict network segmentation and ensuring that no unnecessary services are exposed to the internet will reduce the likelihood that the flaw can be leveraged. Staying alert to future advisories from Tenda and the CERT/CC will help administrators react quickly should a fix become available.