# Critical Tenda Router Backdoor Leaves Multiple Models Vulnerable to Admin Access

_Friday, July 10, 2026 at 8:00 AM EDT · Security · Latest · Tier 2 — Notable_

![Critical Tenda Router Backdoor Leaves Multiple Models Vulnerable to Admin Access — Primary](https://www.guru3d.com/data/publish/228/b0136f828e1c66a692f4af53d6c8d2668d8208/6890968068906908.webp)

CERT/CC disclosed CVE-2026-11405, a critical firmware vulnerability affecting several Tenda router models, the organization said. The undocumented authentication backdoor allows attackers to gain administrator access without using the configured login credentials. No firmware update is currently available, as Tenda has yet to respond to researchers. According to the advisory, the vulnerability exists within the firmware's built-in web management interface. While the router first validates the configured administrator password using its normal authentication routine, a secondary hidden authentication path is executed if that verification fails. The firmware retrieves an internally stored password and compares it directly with the password supplied by the user. If the hidden password matches, the firmware grants a full administrator session regardless of the username entered. CERT/CC identified the vulnerability in firmware for the FH1201, W15E, AC10, AC5, and AC6 router families, although it notes that additional models or firmware versions may also be affected. The advisory does not identify whether the undocumented login mechanism was intentionally implemented or left behind during development. An attacker successfully exploiting the backdoor gains unrestricted control over the router. Administrative access allows changes to DNS settings, firewall rules, firmware configuration, port forwarding, remote management, and administrator credentials. With no firmware update currently available, CERT/CC recommends that users disable remote web management wherever possible and restrict access to the router's administrative interface to trusted devices on the local network.

## Sources

- [Guru3D](https://www.guru3d.com/story/critical-tenda-router-backdoor-leaves-multiple-models-vulnerable-to-admin-access/)

---
Canonical: https://techandbusiness.org/newswire/mIDrms0yiwxk7yFjPupnoA
Retrieved: 2026-07-10T23:43:24.984Z
Publisher: Tech & Business (techandbusiness.org)
