Several versions of Tenda router firmware ship with an undocumented second password. When the normal login fails, the device quietly checks a hidden value — and if you match it, you get full administrator access with any username you like. There is no patch, the vendor could not be reached, and a public proof-of-concept is already circulating.
Tenda is a large maker of low-cost networking gear, including home and small-business routers, switches, wireless access points, and video surveillance equipment. Like most such devices, its routers are managed through a web interface — a login page protected by a username and password that is supposed to be the only way to change settings. CVE-2026-11405 is a backdoor inside that login. It is not a coding slip that leaks a few bytes or mishandles an edge case: it is a deliberate, undocumented second authentication path built into the firmware that grants administrator access to anyone who knows a hidden password value.
The management interface is served by a single binary on the device, /bin/httpd. On a normal login it hashes the submitted password and compares it against the stored MD5 value. On a failed match, instead of rejecting the request, the function fetches a separate password value from device configuration and performs a direct strcmp() — a plaintext string comparison. If the two strings are identical, the code grants a session at role=2, the administrator level, and treats you as logged in. The second path never validates the account name.
Two things make this worse than a typical hard-coded credential. First, the backdoor password is read from running configuration rather than fixed in the binary — it doesn't stand out as an obvious constant, and it can be recovered by anyone who can read a device's configuration or firmware. Second, the comparison is plaintext, so there is no hashing to slow an attacker down and nothing to reverse. A public proof-of-concept that automates the check appeared within a day of disclosure, and scanning scripts that fingerprint Tenda login pages are the natural next step.
These routers are consumer and small-office devices first — not industrial control systems. We flag it anyway, for a narrower, defensible reason: inexpensive routers like these are exactly what turns up at the thin-budget edge of real critical-infrastructure operators. Small and rural water systems, single-site manufacturers, farms and food-and-agriculture sites, and building operators routinely run whatever router was cheapest. When a device like this is the internet-facing edge of a small operator, an unauthenticated administrator takeover is a textbook initial-access foothold — the router is not just a router, it is the doorway to the kind of edge device that, at a small utility or facility, is the last line before the control network.
We run a fleet of honeypots and edge decoys, and this is squarely the kind of activity they're built to observe. The bypass is trivial to attempt — submit a login and see whether the backdoor password is accepted — so the observable footprint is concrete: automated requests to Tenda login pages, device fingerprinting, and login attempts that succeed with unexpected or throwaway usernames. A decoy that presents as a Tenda-style admin panel is well placed to catch both the reconnaissance and the bypass attempts that follow.
There is no patched firmware to install, so the guidance is mitigation and exposure reduction until — and unless — the vendor ships a fix. The single most important step: make sure the management interface cannot be reached from the internet, because a backdoor you cannot connect to cannot be used against you.
© 2026 Deception Check, Inc. — deception-based detection, vulnerability context for the operators we watch