Skip to content
feed: live
>_ 0dayNews
ics ot

Tenda Router Backdoor Has No Patch. Here's What to Do.

CERT/CC flagged an authentication backdoor in multiple Tenda router firmware builds. Tenda didn't respond. No fix is coming — here's the mitigation.

Tenda Router Backdoor Has No Patch. Here's What to Do.
Image: 0dayNews / 0dayNews Editorial · All rights reserved
Marisol "Fuse" Delgado · Published · 5 min read

CERT/CC published a coordinated-disclosure advisory Monday, 2026-07-06, for CVE-2026-11405 — an undocumented authentication backdoor in the web management binary shipped with multiple Tenda consumer router firmware builds. When the normal password check fails, an alternate code path in /bin/httpd’s login function reads a separate credential out of the router’s own configuration store and, on a plaintext match, grants full administrator-role access to the web management interface. The credentials the router owner configured have nothing to do with it.

Reporter is anonymous, disclosed through CERT/CC. Tenda didn’t respond to CERT/CC’s coordinated disclosure. There is no patch. There is no timeline for a patch. The Hacker News wrote up the CERT/CC advisory on 2026-07-07, and BleepingComputer covered the same disclosure separately later the same day. No numeric CVSS has been published on NVD’s record yet.

If you own or operate any of the affected models — and honestly, on a Tenda device you haven’t personally re-flashed, assume you might — this is not a “patch when the fix drops” story. The fix isn’t dropping. It’s a “mitigate the reachability, and start planning replacement” story.

What changed

CERT/CC scoped the affected firmware to five builds across five product lines:

  • Tenda FH1201, firmware V1.2.0.14
  • Tenda W15E, firmware V15.11.0.5
  • Tenda AC10, firmware V15.03.06.46
  • Tenda AC5, firmware V15.03.06.48
  • Tenda AC6 V2, firmware V15.03.06.51

That’s a coordinated-disclosure floor, not a ceiling. Undocumented backdoors of this shape — hidden credential path, alternate authentication branch — are rarely a one-firmware-build accident; they land in shared code and ship across every product line that pulls from the same tree. CERT/CC lists what it could confirm. What is not listed is not the same as what is not vulnerable.

The mechanism, per CERT/CC, is a second authentication path that activates when the first one fails. There is no vendor advisory acknowledging or scoping the flaw. There is no coordinated CVE numbering authority assignment beyond the MITRE record itself. There is no patched firmware build. Tenda is not, on the current public record, participating in this disclosure at all.

What to actually do

1. Inventory. Today.

Pull a list of every Tenda router in your estate — corporate, remote-worker home offices you help support, satellite offices, retail POS closets, guest Wi-Fi setups behind an old build-out, anything. Cross-reference model and firmware version against the five confirmed builds above. Anything on the list is a same-week action item. Anything on a Tenda model not on the list is a “unknown; assume vulnerable until further scoping” action item.

The models CERT/CC scoped are consumer and SOHO gear. In an enterprise-managed estate you probably don’t have Tenda in the core. Where you find it is going to be the edges — home offices, small branch installs, a low-budget guest network somebody stood up two acquisitions ago. Those are also the installations least likely to be behind good egress controls, which matters for the next step.

2. Kill remote (WAN-side) web management.

CERT/CC’s first mitigation is the important one: disable the router’s remote administration interface. On the affected models this is a checkbox in the web UI under system administration; on the ones that are still under active user control, flip it off. This removes the internet-facing path to the backdoor and leaves the LAN-side path in place — an attacker still has the bypass, but they need a foothold on the LAN first to use it.

That is not a fix. It is a reachability reduction. An attacker on the LAN (a compromised laptop, an untrusted guest device, an IoT camera on the same VLAN) can still walk right in.

3. Segment the router off anything you care about.

Where the affected router carries only unimportant traffic — a guest Wi-Fi to nowhere, an isolated test bench — the exposure is bounded and you can move at a slower pace. Where the router carries any traffic to production systems, VPN endpoints, corporate data, or credential-holding endpoints, put it behind something you trust. Move the endpoint devices to a network that terminates on hardware you can actually patch, or drop a small managed switch or firewall between the Tenda device and anything else and treat the Tenda-side as untrusted.

The honest reading of “no patch, no vendor response” is that the trust boundary has moved. Whatever the router used to gate, it doesn’t gate anymore.

4. Rotate credentials the router touched.

If the affected router terminated a management VPN, held any device or service credentials in its own configuration, or ran a captive portal that saw user credentials in flight, rotate. Full admin on the router means full read on whatever the router’s configuration store held and full observability of whatever traffic crossed its plaintext interfaces. Don’t wait to confirm exploitation before rotating — the standing risk is too broad to sit on.

5. Plan replacement inside 60 days.

An unpatched pre-auth admin bypass on a shipping consumer router, with no vendor response to coordinated disclosure, is a permanent condition, not a temporary one. Mitigations 2 and 3 above hold the line while you plan; they are not a resting position. If the affected router is on the network long-term, the failure mode is not a question of if but of when someone else’s compromise lands on your LAN and the backdoor is the next step in their chain. Budget the swap.

Priority call

Where remote management is on and internet-facing: today. Turn it off, verify from an off-network probe that the management UI no longer answers on the WAN address, and then move to segmentation. This is the only step that meaningfully reduces reachability without a vendor patch.

Where remote management was already off and the device is behind a decent perimeter: this week. Segment first, rotate credentials the router touched, then plan replacement. The backdoor is still there — it hasn’t moved — but the reachability envelope is small enough that you have days rather than hours.

Where the affected router is a home-office device on a remote worker’s plan: this week too. Get a corporate-issued device or a known-good replacement to them, help them replace the box, and don’t leave the Tenda unit routing anything meaningful. Remote-worker gear you can’t patch and can’t reach is exactly the kind of long-lived exposure a patient attacker maps out and comes back to.

If you’re waiting for a patch to make this go away, this is one of the ones you have to plan around instead. Vendors that don’t respond to CERT/CC on a pre-auth admin backdoor generally don’t respond to the second attempt either.

Sourcing

Found this useful? Share it.