- CERT/CC reveals CVE‑2026‑11405, a critical 9.8/10 flaw in multiple Tenda router families caused by a hardcoded backdoor identifier
- Attackers can bypass normal login controls and gain full admin access with the hidden password, regardless of the username or password configured.
- Tenda did not respond; CERT/CC advises disabling remote web management and limiting local exposure, although these are only partial mitigation measures.
Several families of Tenda routers feature a critical vulnerability that allows malicious actors to log in with administrator privileges without knowing credentials, experts have discovered.
The CERT Coordination Center revealed a vulnerability in Tenda routers that it described as an undocumented authentication backdoor caused by a hardcoded credential.
The flaw is identified as CVE-2026-11405 and has been assigned a severity score of 9.8/10 (critical). The CERT/CC would have tried to contact the manufacturer, in vain.
How the vulnerability works
Explaining how it works, CERT/CC says the attacker would first attempt to log in normally to the router’s web management interface. Even if the credentials are wrong, the firmware will not automatically reject them, but will instead check for a hidden second password, stored internally. If the attacker knows the hidden credentials, he gains full admin access, regardless of the admin password or username configured.
The username doesn’t even matter, as long as the password is provided. Obviously, CERT/CC didn’t specify what the password was, but with a little reverse engineering of the firmware it can be exposed either on the dark web or to the general public.
Tenda is a Chinese company that manufactures cost-effective networking equipment, popular primarily in India and adjacent markets, where its products are popular in homes and among small businesses.
The flaw therefore still affects several firmware versions, including the FH1201, W15E, AC10, AC5 and AC6 router families. To make matters worse, CERT/CC added that the full list of affected models is likely even longer.
Tenda has not yet commented on the results. In the meantime, CERT/CC recommends that users disable remote web management, if possible, to ensure that the vulnerability cannot be exploited remotely, at least. The organization also suggests limiting exposure to local networks, but emphasizes that this is not a completely foolproof solution.
Via Tom’s material

The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.




