A Secret Backdoor in Tenda Home Routers Lets Strangers Take Control, and There Is No Fix

A hidden login trick buried in Tenda networking gear gives anyone who knows the magic password full administrative control. The maker has not responded, and no patch exists.

ThreatVectr Newsdesk· 3 min read
Photoreal news-editorial style, 16:9 framing, full-frame edge-to-edge composition
Share

Key points

  • A researcher found a secret, undocumented backdoor in multiple Tenda firmware versions, tracked as CVE-2026-11405, that bypasses normal login security entirely.
  • The flaw accepts any username paired with a single hidden password, and the device grants full admin access without question.
  • Successful exploitation lets an attacker change network settings, disable security features, and take over the local network.
  • CERT/CC, the vulnerability coordination body at Carnegie Mellon University, says Tenda did not respond, and no patch has been released as of the disclosure date.
  • A separate unpatched flaw, CVE-2026-13753, exposes Wi-Fi passwords and admin data on HP Deskjet 2800 series printers.

Tenda makes home and small-business routers, switches, and other networking devices sold in huge volumes around the world. A security researcher found that a secret password is baked directly into the software that runs those devices, and any outside attacker who knows that password gets the same level of control as the person who owns the device.

Here is what makes it worse. The username field, the part where you normally type who you are, is never actually checked. Type anything. Type nothing. Pair it with the hidden password and the device waves you straight through.

How did this backdoor get there in the first place?

The word "backdoor" means a secret way into a system that bypasses the normal lock. This one sits inside the login code of Tenda's web management interface, the browser page you open to configure your router. When a normal login attempt fails, the code goes looking for a password stored inside the device's own settings file. It then checks only the password you typed against that stored value, in plain readable text, and opens the door if they match. No username check happens at all.

CERT/CC, which first reported the details, confirmed the mechanism is invisible through any normal admin screen. You cannot see it. You cannot disable it through a settings menu. It simply exists.

A criminal who exploits this can change your router's configuration, redirect your internet traffic, disable your firewall, or use your home network as a launchpad for attacking other systems.

Tenda has not responded to CERT/CC's attempts to coordinate a fix. No patch exists.

On the same day, CERT/CC also disclosed CVE-2026-13753, a separate flaw affecting HP Deskjet 2800 series printers running firmware up to version TBP1CN2612AR. Anyone on the same network can send simple web requests to the printer and pull back Wi-Fi passwords, printer serial numbers, and admin configuration details, all without logging in. HP has also not patched this.

If you own a Tenda router or switch, take two steps right now. First, turn off remote web management, the setting that lets you access your router's control page from outside your home. Second, change the router's default local network address. Automated scanners constantly probe the internet for known device types, and these steps reduce your exposure. Neither step fixes the flaw, but both cut the easiest attack routes.

For HP Deskjet 2800 owners, keep the printer off your public Wi-Fi network and on a segment that outside visitors cannot reach.

Operational takeaway: an unpatched backdoor with no vendor response is not a risk you can patch away, so your only move is to shrink the attack surface until someone ships a fix.

© 2026 Threat Vectr