Several versions of Tenda router firmware ship with an undocumented second password. When the normal login fails, the device quietly checks a hidden value stored in its own configuration, and if you match it you get full administrator access with any username you like. There is no patch, the vendor could not be reached, and a public proof-of-concept is already circulating.
/bin/httpd web server that runs Tenda's device management interface. The normal login checks your password against an MD5 hash. When that check fails, the code takes a second path: it reads an alternate password from the device configuration under the key sys.rzadmin.password and compares it, in plaintext, against whatever you typed. A match hands back a full administrator session with role level 2, and the username is never checked, so any name paired with the backdoor password works. CERT/CC published the finding on July 6, 2026 as VU#213560, could not reach Tenda to coordinate a fix, and there is no patch as of this writing. It reached our watch through the independent proof-of-concept gate, not through CISA KEV: a public PoC repository for CVE-2026-11405 was created on GitHub and indexed on July 7, 2026, and scanning tooling has followed. We are flagging it under our operational-technology and critical-infrastructure watch with an honest caveat about scope, because these inexpensive routers frequently sit at the network edge of the small utilities, farms, and facilities we care about.Tenda is a large maker of low-cost networking gear, including home and small-business routers, switches, wireless access points, and video surveillance equipment. Like most such devices, its routers are managed through a web interface, a login page protected by a username and password that is supposed to be the only way to change settings. CVE-2026-11405 is a backdoor inside that login. It is not a coding slip that leaks a few bytes or mishandles an edge case. It is a deliberate, undocumented second authentication path built into the firmware that grants administrator access to anyone who knows a hidden password value.
CERT/CC lists five affected firmware builds spanning the FH1201, W15E, AC10, AC5, and AC6 model lines. The reporting researcher asked to remain anonymous, and CERT/CC states plainly that it was unable to reach the vendor to coordinate a fix, which is why the note ships with mitigations rather than a patched version. There is no CVSS score in the CERT/CC note and NVD scoring may still be pending, but the impact speaks for itself: an unauthenticated attacker who reaches the management interface obtains complete administrative control, which is the top of the severity scale in practical terms.
The management interface is served by a single binary on the device, /bin/httpd, and the relevant logic lives in its login() function. On a normal login the function does what you would expect: it takes the submitted password, hashes it, and compares that against the stored MD5 value for the account. If the hashes match, you are in. The problem is what happens when they do not.
On a failed match, instead of simply rejecting the request, the function calls GetValue("sys.rzadmin.password") to fetch a separate password value out of the device configuration. It then performs a direct strcmp(), a plaintext string comparison, between that configuration value and the exact characters you submitted. If the two strings are identical, the code grants a session at role=2, the administrator level, and treats you as logged in. Because this second path never validates the account name, any username at all succeeds as long as it is paired with the backdoor password. CERT/CC notes that the mechanism is not documented and is not visible through any part of the normal administrative interface.
The device checks your password the honest way, and when that fails it checks a second, hidden password nobody told the owner about. Match the hidden one and you are the administrator, whatever name you used.
Two things make this worse than a typical hard-coded credential. First, the backdoor password is read from the running configuration rather than fixed in the binary, which means it does not stand out as an obvious constant and can be recovered by anyone who can read a device's configuration or firmware. Second, the comparison is plaintext, so there is no hashing to slow an attacker down and nothing to reverse. Once the value is known for a firmware line, it can be reused across every device running that build. A public proof-of-concept that automates the check appeared within a day of disclosure, and scanning scripts that fingerprint Tenda login pages and try the bypass at scale are the natural and expected next step.
We want to be precise about scope, because it would be easy to overstate this. Tenda routers are consumer and small-office devices first. They are not industrial control systems, CVE-2026-11405 is not an ICS advisory, and most of the affected units are sitting in homes and small businesses, not plant floors. We are flagging it under our operational-technology and critical-infrastructure watch for a narrower, defensible reason: inexpensive routers like these are exactly what turns up at the thin-budget edge of real critical-infrastructure operators. Small and rural water systems, single-site manufacturers, farms and food-and-agriculture sites, and building and facility networks routinely run whatever router was cheapest, and that is often a device in this class.
When a device like that is the internet-facing edge of a small operator, an unauthenticated administrator takeover is a textbook initial-access foothold. With admin control an attacker can change DNS and routing to redirect or intercept traffic, open the device up further, disable what few security features it has, and use its position to reach whatever sits on the flat internal network behind it. Many small OT environments have little or no segmentation between the edge router and the equipment it protects, so the router is not just a router, it is the doorway. That is the whole of our claim: not that this is an ICS exploit, but that it compromises the kind of edge device that, at a small utility or facility, is the last line before the control network.
We run a fleet of honeypots and edge decoys, and this is squarely the kind of activity they are built to observe. The vulnerability is reached by sending ordinary web traffic to a device's login page, which is one of the most heavily scanned surfaces on the internet, and the bypass is trivial to attempt: submit a login and see whether the backdoor password is accepted.
The observable footprint is concrete. An attacker working this bug has to reach the router's web management endpoint, so we would expect to see automated requests to Tenda login pages, fingerprinting of the device model and firmware, and login attempts that succeed with unexpected or throwaway usernames rather than the configured administrator name. Scanning for Tenda's default management addresses and for internet-exposed management interfaces is a natural precursor, and a successful takeover is often followed immediately by configuration changes, especially to DNS. A decoy that presents as a Tenda-style admin panel is well placed to catch that reconnaissance and the bypass attempts that follow.
There is no patched firmware to install. CERT/CC was unable to reach Tenda, so the guidance is mitigation and exposure reduction until, and unless, the vendor ships a fix. The single most important step is to make sure the management interface cannot be reached from the internet, because a backdoor you cannot connect to cannot be used against you from the outside.
V1.2.0.14(408) · W15E V15.11.0.5 · AC10 V15.03.06.46 · AC5 V15.03.06.48 · AC6 V15.03.06.51| Type | Detail |
|---|---|
| CVE | CVE-2026-11405, undocumented authentication backdoor (hidden functionality, authentication bypass via alternate path) |
| Product | Tenda routers, multiple firmware builds; web management served by /bin/httpd |
| Mechanism | On failed MD5 login, login() reads sys.rzadmin.password from config and does a plaintext strcmp(); a match grants role=2 admin, username unvalidated |
| Affected | FH1201, W15E, AC10, AC5, AC6 firmware builds listed in CERT/CC VU#213560 |
| Fixed | None as of this writing; vendor not reachable by CERT/CC. Mitigate by disabling remote management and restricting access |
| Public PoC | Public PoC repository created and indexed 2026-07-07 (independent PoC-in-GitHub gate); scanning tooling reported |
| Exploitation | Not on CISA KEV as of this writing; no vendor-confirmed in-the-wild campaign in the CERT/CC note. Trivial to attempt and mass-scannable, so treat exposed devices as at risk |
| Advisory | CERT/CC Vulnerability Note VU#213560, published 2026-07-06 |