Security
Tenda router firmware ships an authentication backdoor CVE-2026-11405
- Category: Security
- Status: confirmed
- Sources: CERT/CC VU#213560, HN discussion
- Summary: CERT/CC published VU#213560 on 2026-07-06 describing an undocumented authentication backdoor in multiple Tenda networking-device firmware images. The
/bin/httpdlogin function checks an alternate plaintext password stored in device configuration and accepts it with any username, bypassing normal password verification to grant administrative access to the web management interface. Listed images include US_FH1201, US_W15E, US_AC10, US_AC5, and US_AC6 builds. No patch is available, and CERT/CC reports the vendor could not be reached for coordination. Tracked as CVE-2026-11405. - Why it matters: Affected devices grant administrative access to anyone who knows the backdoor password, and there is no fix.