Security researchers at CERT Coordination Center have uncovered a critical vulnerability in several Tenda router models that lets attackers gain administrator access without any legitimate password. A hidden authentication mechanism built into the firmware activates after a failed login attempt, granting full control if the right secret password is supplied. As of this report, Tenda has yet to issue a patch. The flaw is tracked under CVE-2026-11405.

According to CERT/CC, the vulnerability triggers when normal password verification fails. Instead of outright rejection, the router initiates an undocumented secondary authentication routine. If the attacker provides a specific embedded password – hardcoded in the firmware and not publicly known – the device grants unrestricted access to the admin interface. Interestingly, username verification is lax, so guessing the hidden password alone suffices to bypass security protections.

The affected Tenda models confirmed so far include:

  • Tenda FH1201
  • Tenda W15E
  • Tenda AC10
  • Tenda AC5
  • Tenda AC6

CERT/CC notes this list might not be exhaustive since Tenda hasn’t fully confirmed all impacted devices. It is common for routers within a product lineup to share firmware code across multiple models and software versions, increasing the potential scope of affected units.

With admin-level access, attackers could:

  • Alter DNS servers
  • Enable remote management
  • Disable security settings
  • Change owner passwords
  • Use the compromised router as a hub for launching attacks on connected devices

While dangerous for any home network, the risk escalates sharply for small business setups where the router controls all traffic flow. Common exploit scenarios include phishing campaigns, website spoofing, and recruiting devices into botnets-an increasing concern in IoT security.

Researchers have withheld the hidden backdoor password to prevent mass exploitation. Attempts by CERT/CC to engage Tenda have yielded no patch updates or official comment. Meanwhile, users are advised to disable remote internet management and restrict web interface access strictly to the local network. Limiting exposure this way significantly reduces attack vectors until a proper fix is released.

Security flaws in consumer and small office routers often trigger warnings from authorities worldwide. For example, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has repeatedly recommended retiring vulnerable, unsupported SOHO routers because attackers commonly hijack them to build botnets and gain network footholds. How Tenda responds will be important-either expanding the list of affected models or releasing firmware patches alongside an explanation for the embedded backdoor.

Tenda router administration interface warning
Source: Ixbt

Leave a comment

Your email address will not be published. Required fields are marked *