← All articles

Tenda routers ship a hidden backdoor password with no patch available

CERT/CC has warned that several Tenda router firmware versions contain an undocumented authentication backdoor that grants full administrative access to the web management interface. Tracked as CVE-2026-11405, the flaw lives in the login function of the router's web server: if normal password checking fails, the firmware compares the supplied password against a hidden value stored in the device configuration and, on a match, grants admin access regardless of the username. It affects models including the FH1201, W15E, AC10, AC5, and AC6, is baked into the firmware, and cannot be disabled from the interface. Tenda has not responded, so there is no fix, and public exploit tooling is already scanning for vulnerable devices.

Check
Identify any Tenda routers in use, especially the affected FH1201, W15E, AC10, AC5, and AC6 models, and check whether the web management interface is reachable remotely or from untrusted networks.
Affected
Users of affected Tenda router models (CVE-2026-11405); anyone who can reach the web management interface can log in as administrator using a hidden backdoor password, with no valid credentials needed.
Fix
With no patch available, disable remote management, change the default LAN IP, restrict management access to trusted hosts, monitor for scanning on UDP port 7329, and plan to replace unsupported devices.