VULNERABILITY THREAT RESEARCH 2026-07-09

A hidden password that lets anyone in: CVE-2026-11405

Several versions of Tenda router firmware ship with an undocumented second password. When the normal login fails, the device quietly checks a hidden value — and if you match it, you get full administrator access with any username you like. There is no patch, the vendor could not be reached, and a public proof-of-concept is already circulating.

Deception Check CVE-2026-11405 auth bypass · effectively critical CERT/CC VU#213560 disclosed 2026-07-06
TL;DR 60-second read
CVE-2026-11405 is an undocumented authentication backdoor in the /bin/httpd web server that runs Tenda's device management interface. On a failed login the code reads an alternate password from device configuration under sys.rzadmin.password and grants role=2 administrator access to any username paired with it. CERT/CC published the finding as VU#213560 on July 6; a public PoC hit GitHub July 7, and scanning tooling has followed. We're flagging it under our operational-technology and critical-infrastructure watch because these inexpensive routers sit at the network edge of the small utilities, farms, and facilities we care about.
pre-auth
no valid login needed
role=2
full admin granted
no patch
vendor not reachable
01 — WHAT THE VULNERABILITY IS

Tenda is a large maker of low-cost networking gear, including home and small-business routers, switches, wireless access points, and video surveillance equipment. Like most such devices, its routers are managed through a web interface — a login page protected by a username and password that is supposed to be the only way to change settings. CVE-2026-11405 is a backdoor inside that login. It is not a coding slip that leaks a few bytes or mishandles an edge case: it is a deliberate, undocumented second authentication path built into the firmware that grants administrator access to anyone who knows a hidden password value.

The device checks your password the honest way — and when that fails, it checks a second, hidden password nobody told the owner about. Match the hidden one and you are the administrator, whatever name you used.
02 — HOW THE EXPLOIT WORKS

The management interface is served by a single binary on the device, /bin/httpd. On a normal login it hashes the submitted password and compares it against the stored MD5 value. On a failed match, instead of rejecting the request, the function fetches a separate password value from device configuration and performs a direct strcmp() — a plaintext string comparison. If the two strings are identical, the code grants a session at role=2, the administrator level, and treats you as logged in. The second path never validates the account name.

Two things make this worse than a typical hard-coded credential. First, the backdoor password is read from running configuration rather than fixed in the binary — it doesn't stand out as an obvious constant, and it can be recovered by anyone who can read a device's configuration or firmware. Second, the comparison is plaintext, so there is no hashing to slow an attacker down and nothing to reverse. A public proof-of-concept that automates the check appeared within a day of disclosure, and scanning scripts that fingerprint Tenda login pages are the natural next step.

03 — WHY A CHEAP ROUTER LANDS ON AN OT & CI WATCH

These routers are consumer and small-office devices first — not industrial control systems. We flag it anyway, for a narrower, defensible reason: inexpensive routers like these are exactly what turns up at the thin-budget edge of real critical-infrastructure operators. Small and rural water systems, single-site manufacturers, farms and food-and-agriculture sites, and building operators routinely run whatever router was cheapest. When a device like this is the internet-facing edge of a small operator, an unauthenticated administrator takeover is a textbook initial-access foothold — the router is not just a router, it is the doorway to the kind of edge device that, at a small utility or facility, is the last line before the control network.

04 — WHAT WE SEE FROM OUR SENSORS

We run a fleet of honeypots and edge decoys, and this is squarely the kind of activity they're built to observe. The bypass is trivial to attempt — submit a login and see whether the backdoor password is accepted — so the observable footprint is concrete: automated requests to Tenda login pages, device fingerprinting, and login attempts that succeed with unexpected or throwaway usernames. A decoy that presents as a Tenda-style admin panel is well placed to catch both the reconnaissance and the bypass attempts that follow.

THE HONEST FRAMING
We are not reporting confirmed CVE-2026-11405 captures in our own fleet as of this writing, and we will not imply we have them. What we are saying: the indicators above are what we're watching for — and if you operate any of the affected models, your own logs deserve the same review, starting with logins that succeed under a username you never created.
05 — HOW TO FIX OR MITIGATE IT

There is no patched firmware to install, so the guidance is mitigation and exposure reduction until — and unless — the vendor ships a fix. The single most important step: make sure the management interface cannot be reached from the internet, because a backdoor you cannot connect to cannot be used against you.

AFFECTED BUILDS (CERT/CC VU#213560)  ·  FH1201 v1.2.0.14(408)  ·  W15E v15.11.0.5  ·  AC10 v15.03.06.46  ·  AC5 v15.03.06.48  ·  AC6 v15.03.06.51
[ ] Disable remote web management. If the device offers remote or WAN-side administration, turn it off. This most directly removes the risk — an attacker on the internet can never reach the login page with the backdoor.
[ ] Keep the management interface off untrusted networks. Restrict access to a trusted management segment; never expose it to guest or general-user networks. In OT settings, put such devices behind proper segmentation rather than flat with the equipment they protect.
[ ] Change the default LAN IP address. CERT/CC notes that moving the device off its default address reduces opportunistic discovery by scanners targeting known default ranges. It slows mass scanning; it does not stop a deliberate, targeted scan.
[ ] Plan replacement for end-of-support gear. Several affected models are older lines; a vendor that can't be reached for a backdoor disclosure is unlikely to patch quickly. Where one of these guards anything that matters, the durable fix is a supported device from a vendor that coordinates on vulnerabilities.
06 — INDICATORS & REFERENCES
CVE
CVE-2026-11405 — undocumented authentication backdoor (hidden functionality, auth bypass via alternate path)
MECHANISM
On failed MD5 login, login() reads sys.rzadmin.password from config and does a plaintext strcmp(); a match grants role=2 admin, username unvalidated
EXPLOITATION
Not on CISA KEV as of this writing; no vendor-confirmed in-the-wild campaign. Public PoC created and indexed 2026-07-07; scanning tooling reported. Trivial to attempt and mass-scannable — treat exposed devices as at risk
ADVISORY
CERT/CC Vulnerability Note VU#213560, published 2026-07-06
AN HONEST CAVEAT
Our account is drawn from the CERT/CC vulnerability note VU#213560, The Hacker News reporting on the disclosure, and the CVE record. We have not observed exploitation in our own fleet as of this writing. The OT and CI relevance is indirect: this is a consumer and small-office router, not a native industrial device — and its place on this watch is about where these devices end up, not what an ICS protocol audit would say. What earns it your attention is the combination of an unauthenticated full-admin backdoor, no available patch, a live PoC, and evidence-class scanning that shows up at the thin edge of critical infrastructure.
Deception Check mark © 2026 Deception Check, Inc. — deception-based detection, vulnerability context for the operators we watch
← all research