Tenda Routers Ship with Hidden Admin Backdoor, CERT/CC Warns
CERT/CC has uncovered a hidden admin backdoor in multiple Tenda router firmware versions. Attackers can exploit this flaw to gain unauthorized administrative access.
TL;DR
- CERT/CC disclosed a hidden admin backdoor in Tenda router firmware.
- The vulnerability, CVE-2026-11405, bypasses password verification for device admin panels.
- Affected routers may allow remote attackers full administrative control.
- Firmware versions across multiple Tenda models are impacted.
- Organizations using Tenda routers should audit firmware and apply updates immediately.
Security researchers from the CERT Coordination Center (CERT/CC) have revealed a serious vulnerability in several Tenda router models. The issue lies in the firmware itself, which contains an undocumented backdoor allowing unauthorized users to gain administrative access without needing a password.
This flaw, identified as CVE-2026-11405, poses a significant risk to both enterprise and home networks relying on affected Tenda devices. It bypasses standard authentication mechanisms, potentially giving attackers full control over the router's web interface. Organizations using these routers should take immediate steps to verify their firmware versions and mitigate exposure.
Vulnerability Details
- CVE-2026-11405 allows attackers to bypass password checks in the router’s web management interface.
- The backdoor is hardcoded into the firmware, making detection difficult without deep analysis.
- No user interaction or additional privileges are required to exploit the flaw.
- Attackers could use this access to modify network settings, install malware, or monitor traffic.
Impact and Recommendations
- Multiple Tenda router models and firmware versions are believed to be affected.
- CERT/CC recommends auditing all Tenda devices for vulnerable firmware builds.
- Immediate mitigation includes disabling remote administration and updating firmware where possible.
- Network administrators should consider replacing affected hardware if secure updates aren’t available.
- Monitoring network logs for unusual admin activity can help detect exploitation attempts.
Sources
Sources
Security email updates
One digest email when we publish new security articles (TL;DR plus links to read more). Unsubscribe anytime from the message footer. See our Privacy Policy.