- CERT/CC Reveals CVE-2026-11405, a Critical 9.8/10 Vulnerability in Multiple Tenda Router Families Caused by a Hardcoded Credential Backdoor
- Attackers can bypass normal login checks and gain full administrator access with the hidden password, regardless of configured username or password
- Tenda has not responded; CERT/CC recommends disabling web remote control and limiting local exposure, although these are only partial restrictions
Several Tenda router families have a critical vulnerability that allows malicious actors to log in with administrator privileges without knowing the credentials, experts have found.
The CERT Coordination Center disclosed a vulnerability in Tenda routers, which it described as an undocumented authentication backdoor caused by a hard-coded credential.
The bug is tracked as CVE-2026-11405 and was assigned a severity rating of 9.8/10 (Critical). CERT/CC reportedly attempted to contact the manufacturer without success.
How the vulnerability works
To explain how it works, CERT/CC says the attacker would first try to log into the router’s web management interface normally. Even if the credentials are incorrect, the firmware will not automatically reject them, but will rather check another hidden password stored internally. If the attacker knows the hidden credentials, they gain full administrator access, regardless of the configured administrator password or username.
The username doesn’t even matter as long as the password is provided. Of course, CERT/CC didn’t say what the password was, but with a little reverse-engineering of the firmware, it can be exposed either on the dark web or to the general public.
Tenda is a Chinese company that builds budget networking equipment, most popular in India and neighboring markets, where its products are popular in homes and among small businesses.
Thus, the bug still affects more firmware versions, including FH1201, W15E, AC10, AC5 and AC6 router families. To make matters worse, CERT/CC added that the full list of affected models is likely to be even larger.
Tenda has not yet commented on the results. In the meantime, CERT/CC advised users to disable web remote control if possible to ensure that the vulnerability is at least not remotely exploitable. The organization also suggests limiting the exposure of local networks, but emphasizes that this is not a completely bulletproof solution.
Via Tom’s hardware

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.



