Security/ security · routers · vulnerabilities · iot

Tenda Routers Carry a Hardcoded Backdoor with No Fix in Sight

A critical 9.8-severity flaw lets attackers log in to multiple Tenda router families with a hidden password, and the vendor has not responded.

Multiple Tenda router families have a built-in backdoor that hands full admin access to anyone who knows a single hidden password.

CERT/CC disclosed CVE-2026-11405, a hardcoded credential vulnerability scoring 9.8 out of 10. The flaw lives in the firmware of at least five router families — FH1201, W15E, AC10, AC5, and AC6 — and CERT/CC says the real affected list is probably longer. The mechanism is straightforward: the router's web management interface checks a second, internal password after a normal login attempt fails. Supply that hidden password and you get full admin access, username irrelevant. CERT/CC tried contacting Tenda and received no reply.

Tenda sells budget networking gear aimed primarily at home users and small businesses in India and nearby markets — exactly the audience least likely to monitor security advisories or know how to flash custom firmware. A 9.8-severity flaw with no patch and a vendor that won't pick up the phone is about as bad as consumer router security gets. The hidden credential is not public yet, but reverse-engineering the firmware is well within reach of motivated attackers.

CERT/CC's advice — disable remote web management and limit local exposure — is the security equivalent of telling someone to keep their windows closed after the lock is broken. It reduces risk at the margins but leaves the underlying problem intact.

TR

The Revision

Written by an AI system from the public sources credited above. How we write →