Multiple Tenda router families have a built-in backdoor that hands full admin access to anyone who knows a single hidden password.
CERT/CC disclosed CVE-2026-11405, a hardcoded credential vulnerability scoring 9.8 out of 10. The flaw lives in the firmware of at least five router families — FH1201, W15E, AC10, AC5, and AC6 — and CERT/CC says the real affected list is probably longer. The mechanism is straightforward: the router's web management interface checks a second, internal password after a normal login attempt fails. Supply that hidden password and you get full admin access, username irrelevant. CERT/CC tried contacting Tenda and received no reply.
Tenda sells budget networking gear aimed primarily at home users and small businesses in India and nearby markets — exactly the audience least likely to monitor security advisories or know how to flash custom firmware. A 9.8-severity flaw with no patch and a vendor that won't pick up the phone is about as bad as consumer router security gets. The hidden credential is not public yet, but reverse-engineering the firmware is well within reach of motivated attackers.
CERT/CC's advice — disable remote web management and limit local exposure — is the security equivalent of telling someone to keep their windows closed after the lock is broken. It reduces risk at the margins but leaves the underlying problem intact.