A hidden password that lets anyone in: CVE-2026-11405
Several Tenda router firmware builds ship with an undocumented second password: when the normal login fails, the device checks a hidden value and hands full admin to any username that matches. No patch, vendor unreachable, public PoC circulating — on the cheap routers at the edge of small utilities, farms, and facilities.
Read the analysis →
pre-auth no valid login needed
role=2 full admin granted
no patch vendor not reachable