Skip to content
feed: live
>_ 0dayNews
CVE Record
[ HIGH ] CVE-2026-11405

Tenda router firmware undocumented authentication backdoor

Multiple Tenda consumer router firmware builds ship an undocumented authentication backdoor in the web management binary. When normal password verification fails, an alternate code path consults a hidden credential and grants full admin access. CERT/CC coordinated disclosure Monday, 2026-07-06. Reporter anonymous. Tenda did not respond; no patch is available.

cat cve-2026-11405.json
Vendor
Tenda
Product
FH1201, W15E, AC10, AC5, AC6 V2 (multiple firmware builds — see article)
CVSS
N/A
EPSS (exploit probability)
N/A
Status
unpatched
Published

CVE-2026-11405 is an undocumented authentication backdoor in the /bin/httpd web management binary shipped with several Tenda consumer router firmware builds. Per CERT/CC’s advisory, when the normal password verification path fails, an alternate path consults a separate configuration credential; a match on that credential grants full administrator-role access to the router’s web management interface, regardless of the credentials configured for the actual admin account.

Severity note

Neither NVD nor CERT/CC has published a numeric CVSS score for this record as of publication. This site’s badge follows CERT/CC’s characterization — an unauthenticated bypass to full administrative control — as high while a canonical CVSS is outstanding. The reachability of the backdoor depends on whether the router’s web management interface is exposed to the network path from which an attacker would need to reach it (LAN by default; WAN if remote management is on), which is why NVD’s future scoring may land anywhere from the high single-digits into the low-9s.

Affected firmware (per CERT/CC coordinated disclosure)

  • Tenda FH1201, firmware V1.2.0.14
  • Tenda W15E, firmware V15.11.0.5
  • Tenda AC10, AC5, and AC6 V2, multiple firmware builds documented in the advisory

Owners of other Tenda models should treat “silence” as “unknown” until CERT/CC or Tenda scopes further — Tenda has not responded to CERT/CC’s coordinated disclosure.

Patch status

None. CERT/CC reports Tenda could not be reached for remediation. There is no vendor patch, no firmware update, and no published timeline for one. The published mitigations are host-hardening steps only:

  • Disable remote (WAN-side) web management on affected devices.
  • Change the router’s default LAN IP address away from the factory default to reduce automated-scanner discoverability on internal networks where an attacker has already landed.
  • Where feasible, isolate the router off networks that carry sensitive traffic or serve as a jump-off to other assets.

For a full breakdown of the practical response, see the accompanying article: Tenda Router Backdoor Has No Patch. Here’s What to Do..

Sources