Tenda Firmware Flaw Grants Admin Access

In firmware used in consumer and industrial routers, switches, wireless access points and video surveillance systems of the company Tenda, a backdoor has been identified (CVE-2026-11405), allowing access to the web interface with administrator rights, bypassing the standard authentication process and independently from the administrator account settings. The access rights provided allow you to manage all settings, manipulate traffic, disable security features, and use the device as a springboard to attack systems on the local network.

The problem is caused by undocumented functionality in the /bin/httpd process, built into the login() function. If the standard password check using a hash based on the MD5 algorithm for any login failed, the code called the GetValue(“sys.rzadmin.password”) function, which checked whether the password matches the value predefined in the firmware in clear text. If there was a match, regardless of the specified login, a session with administrator rights was created.

To use the backdoor, it is enough to have access to send requests to the device via HTTP or HTTPS. As a workaround for protection, it is recommended to prohibit access to the HTTP server built into the firmware from external networks.

The presence of the problem is confirmed in the firmware:

  • US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD
  • US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE
  • US_AC10V1.0re_V15.03.06.46_multi_TDE01
  • US_AC5V1.0RTL_V15.03.06.48_multi_TDE01
  • US_AC6V2.0RTL_V15.03.06.51_multi_TDE01
/Reports, release notes, official announcements.