
Tendacn.com
Five firmware builds from Chinese router manufacturer Tenda contain a hardwired administrative backdoor that makes every password an owner sets irrelevant — and the company has not responded to the government security agency that discovered it seven weeks ago, or to any reporter since.
The CERT Coordination Center, operated by Carnegie Mellon University's Software Engineering Institute, published Vulnerability Note VU#213560 on Monday, disclosing CVE-2026-11405 and confirming that Tenda has not provided a statement, offered a patch, or communicated any remediation timeline since CERT/CC first notified the Shenzhen-based company on May 19.
That pattern of silence is not new. Tenda has failed to respond to security researchers who disclosed critical vulnerabilities in its products in 2013, 2020, 2021, and 2022. The company is headquartered in China and is legally subject to the National Intelligence Law of the People's Republic of China — a 2017 statute whose Article 7 requires all Chinese organizations to "support, assist, and cooperate with national intelligence efforts." That obligation holds regardless of where Tenda's products are deployed, regardless of any stated privacy policy, and regardless of whether Tenda has ever disclosed being asked to comply.
Most router security vulnerabilities involve a known weakness — a buffer overflow, a misconfigured endpoint, a default password that users forgot to change. CVE-2026-11405 is categorically different: it is a second, fully functional authentication path built into the router's firmware that no owner can see or disable, regardless of what they do to the device's settings.
The flaw lives inside the login() function of the /bin/httpd binary — the web server component that handles every authentication attempt through the router's management interface. When someone enters a username and password, the function first runs the normal verification: an MD5-based hash comparison. If that check fails — that is, if the owner's real password doesn't match — the function does not stop. It calls GetValue("sys.rzadmin.password") to retrieve a separate, undocumented password value stored in the device's configuration under the key sys.rzadmin.password. It then performs a direct plaintext strcmp() comparison between whatever the user typed and this hidden value. If they match, the router creates a full administrative session at privilege level role=2 — the highest tier — regardless of which username was entered.
CERT/CC confirmed in its advisory that the username field is not validated at all in this secondary path. Any string in the username field will succeed when paired with the backdoor password. The mechanism is invisible: it does not appear in any administrative interface, is not documented in any Tenda material accessible to customers, and cannot be disabled by any owner-accessible setting.
Pierluigi Paganini, writing for Security Affairs, summarized the practical consequence: "The hidden password value lives in the device configuration under sys.rzadmin.password, which means it shipped this way from Tenda intentionally, not as something an owner could accidentally trigger."
CERT/CC confirmed five specific firmware builds as vulnerable:
FH1201: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD W15E: US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE AC10: US_AC10V1.0re_V15.03.06.46_multi_TDE01 AC5: US_AC5V1.0RTL_V15.03.06.48_multi_TDE01 AC6: US_AC6V2.0RTL_V15.03.06.51_multi_T
These models are among Tenda's most widely deployed budget router lines, sold globally through major online retailers and distributed throughout homes and small offices. Tenda has annual revenues exceeding $1 billion and maintains 15 sales offices worldwide, making this exposure a consumer-scale problem rather than a niche one. To check whether a specific device is affected, owners should navigate to their router's administrative interface and compare the firmware version string against the five affected builds listed above. For firmware downloads and version reference, see Tenda's firmware download center.
Read more: Seiko SkyBridge Enterprise IoT Routers Hit With Permanent OS Injection: No Fix
Read more: GRU Hijacked TP-Link Routers in 23 States to Steal Outlook Passwords: FBI Urges Immediate Action
Full administrative control over a router is not simply a matter of changing a Wi-Fi password. A router sits at the boundary between a home or office network and the internet — it routes every packet, resolves every domain name, and manages every firewall rule for every device connected to it.
An attacker who exploits CVE-2026-11405 can redirect all DNS queries to attacker-controlled servers, which means every website a user types into their browser could silently resolve to a different destination. They can disable the router's firewall entirely, expose connected computers, phones, and smart home devices to direct internet access, and establish persistent remote access that survives device reboots. They can reconfigure port forwarding to tunnel external traffic into the local network, or they can use the compromised router as a pivot point to attack every other device on the network.
The vulnerability is particularly dangerous on devices with remote management enabled — a setting that, when active, makes the router's administrative interface reachable from anywhere on the internet. Automated scanning tools continuously probe known router management ports across IP address ranges; a device with remote management enabled and CVE-2026-11405 present is reachable by any scanner that knows to try the backdoor credential.
CVE-2026-11405 is not the first undocumented authentication mechanism found in Tenda firmware. In October 2013, security researcher Craig Heffner documented a LAN-side backdoor in the Tenda W302R and W330R routers, embedded in the MfgThread() function of the httpd component — the same binary where CVE-2026-11405 now lives. Heffner described finding code that could execute commands from remote locations when triggered by a specific UDP packet. Tenda did not patch that vulnerability for any affected model.
In 2020, analysts at Independent Security Evaluators found five vulnerabilities in the Tenda AC15 AC1900 router, including a hardcoded telnet password tracked as CVE-2020-10988 that gave any attacker who reached the device's telnet service root-equivalent access. ISE notified Tenda in January 2020. After 180 days — nearly double the standard disclosure window — Tenda had not responded or patched, and ISE published the findings publicly. "It is interesting to note that as Tenda has yet to patch these vulnerabilities, similar vulnerabilities may exist in other firmware versions," ISE wrote. The W15E — one of the five models confirmed vulnerable to CVE-2026-11405 — received seven published CVEs in 2022 related to authentication bypass, password exposure, and unauthorized telnet activation. Tenda did not respond to those disclosures within the 90-day standard window either.
The February 2026 vulnerability disclosure cycle added eight more CVEs across the Tenda AC21, TX3, and TX9 product lines — buffer overflows and command injection flaws that expose additional router models to remote compromise.
CERT/CC's May 19 outreach on CVE-2026-11405 received no reply. The July 6 advisory notes only: "We have not received a statement from the vendor." No firmware update from Tenda is available or announced as of publication.
Shenzhen Tenda Technology Co., Ltd. was founded in 1999 and is headquartered in Shenzhen, Guangdong Province, China. All of its research and development centers are located in China. As a Chinese company, it is legally subject to China's National Intelligence Law (2017), whose Article 7 requires all Chinese organizations and citizens to "support, assist, and cooperate with national intelligence efforts in accordance with law."
Article 14 of the same law empowers Chinese intelligence agencies to demand assistance from any organization. China's Cybersecurity Law (2016, amended January 2026) separately requires network operators, through Article 28, to "provide technical support and assistance to public security organs and national security organs." The DHS Data Security Business Advisory stated in 2020 that Chinese companies are "required to secretly share data with the PRC government or other entities upon request, even if that request is illegal under the jurisdiction in which these firms operate," and that the National Intelligence Law specifically empowers China to direct its companies to "covertly install backdoors or 'bugdoors' into their equipment or software."
Whether CVE-2026-11405 is an accidental engineering flaw, a debug artifact left in production firmware, or something more deliberate is not determinable from publicly available information. What is determinable is this: if Chinese intelligence agencies asked Tenda to include a hidden authentication mechanism and maintain silence about it, Tenda would be legally required to comply and legally barred from acknowledging the request. The silence is structurally indistinguishable from non-disclosure.
Readers should understand what data transits or is accessible through a router: all DNS queries (which reveal every domain a household visits), traffic metadata for encrypted and unencrypted sessions alike, Wi-Fi passwords stored in the router's configuration file, the MAC addresses and IP assignments of every connected device, and any unencrypted application traffic on the network. An attacker with admin access obtains visibility into all of these without installing any additional software on any connected device.
CERT/CC has published two interim mitigations for owners of affected Tenda firmware builds. Both should be applied immediately, but neither eliminates the underlying vulnerability.
Disable remote web management. This is the most consequential single step available. When remote management is disabled, attackers cannot reach the router's administrative interface from outside the local network, which removes the primary attack vector for internet-based exploitation. This setting is typically found in the router's WAN or Remote Access settings.
Change the default LAN IP address. Tenda routers ship with predictable default gateway addresses, commonly 192.168.0.1 or 192.168.1.1. Changing this address makes the device harder for automated scanners to identify and probe.
Beyond these mitigations, owners should note what they cannot do: there is no owner-accessible method to remove the sys.rzadmin.password configuration key or disable the fallback authentication code path. The backdoor is compiled into the /bin/httpd binary. Only a vendor-issued firmware update that rewrites that binary can remove it. Tenda has not indicated when or whether such an update is coming.
Given Tenda's documented history of non-response to security researchers across more than a decade — and the absence of any remediation timeline — owners of affected devices who need certainty should consider replacing the router with a product from a manufacturer that maintains an active security response program. The FCC issued an import restriction on new foreign-manufactured consumer routers in March 2026 by updating its Covered List; existing Tenda devices already in service are not covered by that action, but new Tenda router models are no longer eligible for FCC equipment authorization in the United States.
Monitor Tenda's official support channels and the CERT/CC VU#213560 page for any firmware update. If Tenda releases a patch, apply it immediately.
Read more: D-Link Routers Hijacked by AryStinger Botnet: Over 4,300 Devices Now Scanning for Future Targets
CVE-2026-11405 does not require a compromised device to be internet-facing to pose a risk. An attacker who is already on the local network — connected to the same Wi-Fi, reached through a compromised device on the network, or present via any other local access method — can use the backdoor credential to take full control of the router from the inside. The mitigations reduce the external attack surface but do not address the local network scenario.
For small offices where Tenda routers serve as the only network perimeter device, this means the primary defense layer is compromised. Businesses with compliance obligations — HIPAA, PCI-DSS, or any framework requiring network access controls — should treat affected Tenda devices as failed controls and seek immediate replacement.
For households, the practical priority is: disable remote management, change the LAN IP, and document the firmware version so you know immediately when and if a Tenda update becomes available. If no update appears within a reasonable timeframe, replacement is the only fully effective option.
Log into your router's administrative interface and locate the firmware version string in the system or status section. Compare it against the five affected builds listed by CERT/CC's VU#213560 advisory: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, and US_AC6V2.0RTL_V15.03.06.51_multi_T. If your firmware string matches any of these exactly, your device is confirmed vulnerable. If your string does not match but you own a Tenda router, that does not guarantee you are unaffected — only that your specific build has not been confirmed vulnerable by CERT/CC to date.
No. As of July 7, 2026, no firmware update from Tenda is available or announced. CERT/CC first notified Tenda on May 19, 2026, and received no response. The vulnerability has no timeline for remediation because the vendor has provided none. CERT/CC's only available guidance consists of two mitigations — disabling remote management and changing the default LAN IP — neither of which removes the backdoor from the firmware binary itself.
The practical risk depends on whether your router has remote management enabled. With remote management disabled, exploitation requires an attacker already present on your local network. With remote management enabled, the router's administrative interface is reachable from anywhere on the internet, and automated scanning tools can attempt the backdoor credential without any human intervention. Beyond the vulnerability itself, Tenda is a Chinese company subject to China's National Intelligence Law, which legally requires it to cooperate with Chinese government intelligence requests and bars it from disclosing that it has done so. Tenda's silence on this vulnerability is structurally indistinguishable from legally compelled non-disclosure. Owners who need a definitive answer about their network's security posture should replace the device rather than wait indefinitely for a patch from a vendor with a decade-long history of not responding to security researchers.
China's National Intelligence Law of 2017 requires all Chinese organizations to support and cooperate with state intelligence work — and Article 14 empowers intelligence agencies to demand that assistance. China's Cybersecurity Law requires network operators to provide "technical support and assistance" to security and public safety organs. These are legally binding requirements that apply regardless of where Tenda products are deployed, regardless of the company's stated privacy policies, and regardless of whether any cooperation has occurred or been requested. A router provides access to all traffic on a home or office network, including DNS queries that reveal every website a user visits. The legal framework means Tenda cannot be treated the same way as a router manufacturer not subject to mandatory intelligence cooperation laws.
