Tenda Router Backdoor CVE-2026-11405: Check Your Firmware

Brendan Smith
Brendan Smith - Cybersecurity Analyst
6 Min Read
Tenda router backdoor warning for CVE-2026-11405
A Tenda router admin panel with a hidden access path, illustrating CVE-2026-11405 risk.

CERT/CC has warned that several Tenda router firmware builds contain a hidden authentication backdoor, tracked as CVE-2026-11405. The practical risk is simple: if an affected device’s web management interface is reachable, an attacker may be able to bypass the normal administrator password check and take over the router configuration.

This is not a normal weak-default-password issue. The CERT/CC note says the undocumented path sits in the router web server’s login logic, so changing the visible admin password is useful housekeeping but does not remove the backdoor itself. Until Tenda ships fixed firmware, owners should check the exact firmware build and reduce exposure.

Who Should Check

Check the firmware version if you manage a Tenda device, especially in a home office, small business, shared apartment network, or remote-work setup. CERT/CC lists these affected firmware builds:

  • US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD – affected
  • US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE – affected
  • US_AC10V1.0re_V15.03.06.46_multi_TDE01 – affected
  • US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 – affected
  • US_AC6V2.0RTL_V15.03.06.51_multi_T – affected

Look in the router’s administration interface for the firmware/version field. If you inherited the router from an ISP, previous tenant, office closet, or marketplace purchase, treat the version check as higher priority because you may not know how long remote management or port forwarding has been enabled.

What The Backdoor Changes

According to CERT/CC, the vulnerable /bin/httpd web server first follows a normal MD5-based password verification path. If that fails, the code checks an alternate stored value tied to sys.rzadmin.password. A matching value grants admin-level access, and the username is not validated.

For a router owner, the important point is not the internal function name. It is that a hidden authentication path can bypass the password you see in the settings page. With administrator access, an attacker could change DNS servers, open management exposure, weaken security settings, redirect traffic, or make the router part of a larger attack path.

What To Do Now

  1. Check the exact firmware build. Do not rely only on the model name. The affected list is build-specific.
  2. Disable remote web management. The router admin panel should not be reachable from the internet unless there is a specific, controlled reason.
  3. Change the default LAN IP range if practical. CERT/CC notes this can reduce opportunistic discovery by automated scanners, though it will not stop targeted local scanning.
  4. Review DNS and port-forwarding settings. Unknown DNS resolvers, unexpected forwarding rules, or enabled WAN administration are stronger warning signs than a slow Wi-Fi day.
  5. Watch for a vendor firmware update. If no fixed firmware appears and the router protects an important network, plan replacement rather than leaving the device exposed indefinitely.

If you discover unknown DNS settings or browser redirects after a router change, compare the behavior with our guide to DNS spoofing vs DNS hijacking. If Windows devices on the network also show recurring redirects, suspicious downloads, or startup changes, check the local machine as well; a router issue and a PC infection can coexist. Gridinsoft’s online URL/file checks can help triage suspicious downloads, while a full local scan is appropriate if a file already ran.

What Not To Assume

  • A new admin password is not a full fix. It helps with normal credential abuse, but the disclosed issue is a hidden authentication path.
  • Wi-Fi password strength is separate. A strong WPA password does not protect an exposed web management interface.
  • No public exploit headline does not mean no risk. Router issues are often scanned quietly, and many owners never check firmware strings.
  • A reset may re-enable defaults. After a factory reset, re-check remote management, DNS, UPnP, and port-forwarding settings.

For related network symptoms, see Gridinsoft’s guides on DNS problems after malware or browser hijacking and ARP spoofing false alerts and real attacks.

FAQ

Is every Tenda router vulnerable?

No. CERT/CC lists specific firmware builds. Check the firmware version shown by your router before assuming your device is affected or safe.

Does changing the router password fix CVE-2026-11405?

No. It is still worth doing, but the disclosed problem is an undocumented authentication path in the web management logic. Exposure reduction and a fixed firmware build are the real controls.

Should I throw the router away?

Not automatically. First disable remote management, check the firmware build, and watch for vendor firmware. If the router is affected, unpatched, and protects a business or remote-work network, replacement is a reasonable risk decision.

References

  1. CERT Coordination Center. “Tenda firmware (multiple versions) contains hidden authentication backdoor.” Vulnerability Note VU#213560, Carnegie Mellon University Software Engineering Institute, original release July 6, 2026, accessed July 7, 2026. https://kb.cert.org/vuls/id/213560
  2. CVE Program. “CVE-2026-11405.” CVE Record, accessed July 7, 2026. https://www.cve.org/CVERecord?id=CVE-2026-11405
Share This Article
Cybersecurity Analyst
Follow:
Brendan Smith has spent over 15 years knee-deep in cybersecurity, chasing down malware from the gritty reverse-engineering of old-school trojans all the way to wrangling full-blown incident responses for small-to-medium businesses that couldn’t afford a full-blown breach. Over at Gridinsoft, he’s the guy piecing together those double-checked guides on nasty stuff like AsyncRAT ransomware—take last year, for instance, when his breakdowns caught more than 200 sneaky variants right in live scans, knocking user cleanup jobs down by a solid 40% and saving folks hours of headache.
Leave a Comment

AI Assistant

Hello! 👋 How can I help you today?