DECEPTION CHECK
Threat Research · Vulnerability

A Hidden Password That Lets Anyone In: CVE-2026-11405

Several versions of Tenda router firmware ship with an undocumented second password. When the normal login fails, the device quietly checks a hidden value stored in its own configuration, and if you match it you get full administrator access with any username you like. There is no patch, the vendor could not be reached, and a public proof-of-concept is already circulating.

Deception Check  |  July 9, 2026  |  CVE-2026-11405  |  Authentication bypass, effectively critical  |  CERT/CC VU#213560, disclosed 2026-07-06
The short version CVE-2026-11405 is an undocumented authentication backdoor in the /bin/httpd web server that runs Tenda's device management interface. The normal login checks your password against an MD5 hash. When that check fails, the code takes a second path: it reads an alternate password from the device configuration under the key sys.rzadmin.password and compares it, in plaintext, against whatever you typed. A match hands back a full administrator session with role level 2, and the username is never checked, so any name paired with the backdoor password works. CERT/CC published the finding on July 6, 2026 as VU#213560, could not reach Tenda to coordinate a fix, and there is no patch as of this writing. It reached our watch through the independent proof-of-concept gate, not through CISA KEV: a public PoC repository for CVE-2026-11405 was created on GitHub and indexed on July 7, 2026, and scanning tooling has followed. We are flagging it under our operational-technology and critical-infrastructure watch with an honest caveat about scope, because these inexpensive routers frequently sit at the network edge of the small utilities, farms, and facilities we care about.

What the vulnerability is

Tenda is a large maker of low-cost networking gear, including home and small-business routers, switches, wireless access points, and video surveillance equipment. Like most such devices, its routers are managed through a web interface, a login page protected by a username and password that is supposed to be the only way to change settings. CVE-2026-11405 is a backdoor inside that login. It is not a coding slip that leaks a few bytes or mishandles an edge case. It is a deliberate, undocumented second authentication path built into the firmware that grants administrator access to anyone who knows a hidden password value.

Pre-auth
no valid login needed
role=2
full admin granted
No patch
vendor not reachable

CERT/CC lists five affected firmware builds spanning the FH1201, W15E, AC10, AC5, and AC6 model lines. The reporting researcher asked to remain anonymous, and CERT/CC states plainly that it was unable to reach the vendor to coordinate a fix, which is why the note ships with mitigations rather than a patched version. There is no CVSS score in the CERT/CC note and NVD scoring may still be pending, but the impact speaks for itself: an unauthenticated attacker who reaches the management interface obtains complete administrative control, which is the top of the severity scale in practical terms.

How the exploit works

The management interface is served by a single binary on the device, /bin/httpd, and the relevant logic lives in its login() function. On a normal login the function does what you would expect: it takes the submitted password, hashes it, and compares that against the stored MD5 value for the account. If the hashes match, you are in. The problem is what happens when they do not.

On a failed match, instead of simply rejecting the request, the function calls GetValue("sys.rzadmin.password") to fetch a separate password value out of the device configuration. It then performs a direct strcmp(), a plaintext string comparison, between that configuration value and the exact characters you submitted. If the two strings are identical, the code grants a session at role=2, the administrator level, and treats you as logged in. Because this second path never validates the account name, any username at all succeeds as long as it is paired with the backdoor password. CERT/CC notes that the mechanism is not documented and is not visible through any part of the normal administrative interface.

The device checks your password the honest way, and when that fails it checks a second, hidden password nobody told the owner about. Match the hidden one and you are the administrator, whatever name you used.

Two things make this worse than a typical hard-coded credential. First, the backdoor password is read from the running configuration rather than fixed in the binary, which means it does not stand out as an obvious constant and can be recovered by anyone who can read a device's configuration or firmware. Second, the comparison is plaintext, so there is no hashing to slow an attacker down and nothing to reverse. Once the value is known for a firmware line, it can be reused across every device running that build. A public proof-of-concept that automates the check appeared within a day of disclosure, and scanning scripts that fingerprint Tenda login pages and try the bypass at scale are the natural and expected next step.

Why a low-cost router lands on an OT and CI watch

We want to be precise about scope, because it would be easy to overstate this. Tenda routers are consumer and small-office devices first. They are not industrial control systems, CVE-2026-11405 is not an ICS advisory, and most of the affected units are sitting in homes and small businesses, not plant floors. We are flagging it under our operational-technology and critical-infrastructure watch for a narrower, defensible reason: inexpensive routers like these are exactly what turns up at the thin-budget edge of real critical-infrastructure operators. Small and rural water systems, single-site manufacturers, farms and food-and-agriculture sites, and building and facility networks routinely run whatever router was cheapest, and that is often a device in this class.

When a device like that is the internet-facing edge of a small operator, an unauthenticated administrator takeover is a textbook initial-access foothold. With admin control an attacker can change DNS and routing to redirect or intercept traffic, open the device up further, disable what few security features it has, and use its position to reach whatever sits on the flat internal network behind it. Many small OT environments have little or no segmentation between the edge router and the equipment it protects, so the router is not just a router, it is the doorway. That is the whole of our claim: not that this is an ICS exploit, but that it compromises the kind of edge device that, at a small utility or facility, is the last line before the control network.

What we see from our sensors

We run a fleet of honeypots and edge decoys, and this is squarely the kind of activity they are built to observe. The vulnerability is reached by sending ordinary web traffic to a device's login page, which is one of the most heavily scanned surfaces on the internet, and the bypass is trivial to attempt: submit a login and see whether the backdoor password is accepted.

The observable footprint is concrete. An attacker working this bug has to reach the router's web management endpoint, so we would expect to see automated requests to Tenda login pages, fingerprinting of the device model and firmware, and login attempts that succeed with unexpected or throwaway usernames rather than the configured administrator name. Scanning for Tenda's default management addresses and for internet-exposed management interfaces is a natural precursor, and a successful takeover is often followed immediately by configuration changes, especially to DNS. A decoy that presents as a Tenda-style admin panel is well placed to catch that reconnaissance and the bypass attempts that follow.

The honest framing We are not reporting confirmed CVE-2026-11405 captures in our own fleet as of this writing, and we will not imply that we have them. What we are saying is that this is a network-reachable, pre-authentication flaw on a mass-market edge device, which is exactly the category our sensors are designed for, and that the indicators above are what we are watching for. If you operate any of the affected Tenda models, the same request patterns are what your own logs should be reviewed for, starting with logins that succeed under a username you never created.

How to fix or mitigate it

There is no patched firmware to install. CERT/CC was unable to reach Tenda, so the guidance is mitigation and exposure reduction until, and unless, the vendor ships a fix. The single most important step is to make sure the management interface cannot be reached from the internet, because a backdoor you cannot connect to cannot be used against you from the outside.

Affected firmware builds (CERT/CC VU#213560)
FH1201 V1.2.0.14(408)   ·   W15E V15.11.0.5   ·   AC10 V15.03.06.46   ·   AC5 V15.03.06.48   ·   AC6 V15.03.06.51

Indicators and references

TypeDetail
CVECVE-2026-11405, undocumented authentication backdoor (hidden functionality, authentication bypass via alternate path)
ProductTenda routers, multiple firmware builds; web management served by /bin/httpd
MechanismOn failed MD5 login, login() reads sys.rzadmin.password from config and does a plaintext strcmp(); a match grants role=2 admin, username unvalidated
AffectedFH1201, W15E, AC10, AC5, AC6 firmware builds listed in CERT/CC VU#213560
FixedNone as of this writing; vendor not reachable by CERT/CC. Mitigate by disabling remote management and restricting access
Public PoCPublic PoC repository created and indexed 2026-07-07 (independent PoC-in-GitHub gate); scanning tooling reported
ExploitationNot on CISA KEV as of this writing; no vendor-confirmed in-the-wild campaign in the CERT/CC note. Trivial to attempt and mass-scannable, so treat exposed devices as at risk
AdvisoryCERT/CC Vulnerability Note VU#213560, published 2026-07-06
An honest caveat Our account is drawn from the CERT/CC vulnerability note VU#213560, The Hacker News reporting on the disclosure, and the CVE record. We flagged CVE-2026-11405 because a fresh, in-window public proof-of-concept appeared for a pre-authentication backdoor on a mass-market edge device that routinely sits at the perimeter of the small operators we watch, not because we have observed it in use. Two limits are worth restating plainly. The OT and CI relevance is indirect: this is a consumer and small-office router, not a native industrial device, and its place on this watch is about where these routers end up, not about an ICS protocol. And exploitation is unconfirmed: there is a public PoC and the bypass is trivial to try, but we are not aware of a documented in-the-wild campaign as of this writing. What earns it your attention is the combination of an unauthenticated full-admin backdoor, no available patch, a live PoC, and a device class that shows up at the thin edge of critical infrastructure.