These popular Tenda routers have an unpatched security backdoor which could give hackers access

These popular Tenda routers have an unpatched security backdoor which could give hackers access

  • CERT/CC discloses CVE‑2026‑11405, a critical 9.8/10 flaw in multiple Tenda router families caused by a hardcoded backdoor credential
  • Attackers can bypass normal login checks and gain full admin access with the hidden password, regardless of configured username or password
  • Tenda has not responded; CERT/CC advises disabling remote web management and limiting local exposure, though these are only partial mitigations

Multiple Tenda router families carry a critical vulnerability that allows malicious actors to log in with admin privileges without knowing the credentials, experts have found.

The CERT Coordination Center disclosed a vulnerability in Tenda routers which it described as an undocumented authentication backdoor caused by a hardcoded credential.

The flaw is tracked as CVE-2026-11405 and was assigned a severity score of 9.8/10 (critical). CERT/CC allegedly tried reaching out to the manufacturer, to no avail.

How the vulnerability works

Explaining how it works, CERT/CC says that the attacker would first try to log into the router’s web management interface normally. Even if the credentials are wrong, the firmware would not automatically reject them, but would rather check a second, hidden password, stored internally. If the attacker knows the hidden credential, they get full admin access, regardless of the configured admin password or username.

The username doesn’t even matter, as long as the password is supplied. Obviously, CERT/CC did not say what the password was, but with a little reverse-engineering of the firmware, it can be exposed either on the dark web, or to the general public.

Tenda is a Chinese company building budget networking gear, popular mostly in India and adjacent markets, where its products are popular in homes and among small businesses.

The flaw thus still affects multiple firmware versions, including FH1201, W15E, AC10, AC5, and AC6 router families. To make matters worse, CERT/CC added that the full list of affected models is probably even bigger.

Tenda is yet to comment on the findings. In the meantime, CERT/CC recommended users disable remote web management, if possible, to make sure the vulnerability cannot be exploited remotely, at least. The organization also suggests limiting local network exposure, but stresses that this is not an entirely bulletproof solution.

Via Tom’s Hardware