Skip Navigation

July 10, 2026 |

Tenda firmware backdoor grants administrative access to network devices

Loading table of contents...

At a glance: A hidden authentication backdoor in multiple Tenda firmware versions allows administrative access to affected devices through their web management interfaces. Tracked as CVE-2026-11405, the vulnerability affects several Tenda router models and remains unpatched at the time of publishing. Organizations using affected devices are advised to identify exposed systems, limit access to management interfaces, and monitor for future vendor updates.

Threat summary

On July 6, the CERT Coordination Center (CERT/CC) reported on a hidden authentication mechanism in multiple Tenda firmware versions that allows administrative access to affected devices through the web management interface.

Tenda produces networking equipment including routers, switches, wireless access points, and surveillance devices. The affected firmware has been identified in multiple router models, including the FH1201, W15E, AC10, AC5, and AC6 product lines. These devices use web-based administrative interfaces for management and configuration.

According to CERT/CC, the issue, tracked as CVE-2026-11405, exists in the /bin/httpd web server binary. During authentication, the software follows a normal password verification process. If authentication fails, an alternate code path retrieves a password value stored in the device configuration and compares it directly to the supplied password. If the values match, administrative access is granted without validating the username.

Successful exploitation provides administrative access to the device's management interface. CERT/CC states that an adversary could modify configurations, alter network settings, and disable security features. Compromise of a network edge device may create opportunities for further activity within the local network.

Public reporting includes claims that CVE-2026-11405 is being exploited and that proof-of-concept or scanning tools are available. However, as of July 9, CVE-2026-11405 does not appear in CISA's Known Exploited Vulnerabilities (KEV) catalog.

At the time of publishing, no vendor patch is available for CVE-2026-11405.

Analysis

An adversary with knowledge of the alternate authentication mechanism could gain administrative control of an affected device. Control of a router or other network device may enable configuration changes, traffic manipulation, or reduced visibility into network activity. These outcomes depend on the device's role, network architecture, and exposure.

Organizations operating Tenda devices can identify affected firmware versions and determine whether management interfaces are reachable from untrusted networks. CERT/CC recommends disabling remote web management where the capability exists, and limiting exposure of administrative interfaces.

Organizations can review asset inventories for affected Tenda models, particularly devices deployed at branch offices, remote locations, and small-site environments. Network monitoring can help identify administrative access attempts, configuration changes, and unexpected communications involving affected devices. No patch is currently available.

Monitor Tenda advisories for firmware updates that address CVE-2026-11405 and update affected devices when a fix becomes available.

ThreatRoundUp_SignUp_Simplifiedx2

Stay on top of emerging threats like this.

Sign up to receive a weekly roundup of our security intelligence feed. You'll be the first to know of emerging attack vectors, threats, and vulnerabilities. 

Sign up