Hidden Admin Backdoor Found in Tenda Router Firmware, CERT/CC Warns

A flaw tracked as CVE-2026-11405 lets anyone skip the password check and take over affected Tenda routers through the web interface.

ThreatVectr Newsdesk· 3 min read
Full-frame photoreal editorial shot of a small black consumer Wi-Fi router on a plain desk, indicator lights glowing amber, softly lit from one side, moody shad
Share

Key points

  • The CERT Coordination Center (CERT/CC) warned on Monday that several firmware versions from Chinese router maker Tenda contain a hidden authentication backdoor.
  • The flaw is tracked as CVE-2026-11405 and lets an attacker skip the login process on the router's web management page.
  • Once inside, an attacker gets full administrator rights over the device, meaning they can change settings, redirect traffic, or plant further malware.
  • Home users and small businesses running affected Tenda routers should check the vendor's site for a firmware update and, in the meantime, block the admin page from the wider internet.

A U.S. government-funded security group has warned that several Tenda router models ship with a secret way in.

The CERT Coordination Center (CERT/CC), a vulnerability clearinghouse run out of Carnegie Mellon University, said Monday that multiple firmware releases from Chinese networking vendor Tenda include an undocumented authentication backdoor. In plain terms: a hidden shortcut baked into the software that lets someone log in as the administrator without knowing the real password.

The issue is tracked as CVE-2026-11405. It sits in the web interface, the page you open in a browser to configure the router.

What can an attacker actually do with this?

They can take full control of the router. CERT/CC says the flaw lets an attacker bypass the password check entirely and reach the administrative panel, which is the same view the device's owner sees when they log in to change Wi-Fi settings or update the firmware.

From there, the options are ugly. An attacker can change the DNS settings (the phonebook the router uses to look up websites) and quietly send users to fake banking or email pages. They can open the network to further attacks, watch traffic, or install malicious code that survives reboots. Routers hijacked this way are also a favourite building block for botnets, large groups of infected devices used to launch attacks on other targets.

The advisory, first reported by The Hacker News, does not tie the backdoor to any specific attack in the wild. But an undocumented admin bypass in consumer networking gear is exactly the kind of bug that criminal groups and state-linked crews scan for at scale, usually within days of disclosure.

Who is affected?

CERT/CC says the backdoor is present in several Tenda firmware versions. The coordinator's advisory is the primary source for the exact model and firmware list, and defenders should treat that list, not summaries, as authoritative. (At time of writing Tenda had not published its own security advisory acknowledging the flaw, which is not unusual for this vendor.)

Tenda gear is sold widely to home users and small businesses, often as budget Wi-Fi routers and range extenders. That means the people most exposed are the least likely to be watching CVE feeds.

What should router owners do now?

A few practical steps.

First, check whether your router is a Tenda model, and if so, look on the vendor's support page for a firmware update matching your exact model number. Install it when one is available.

Second, make sure the router's admin page is not reachable from the wider internet. Most home routers have a setting called "remote management" or "WAN admin access". Turn it off. This does not fix the bug, but it means an attacker has to already be on your network to use it.

Third, change the admin password to something long and unique, and change the Wi-Fi password too. Neither stops CVE-2026-11405 on its own, but both raise the cost of everything else an attacker might try.

If you run a small business on consumer-grade Tenda kit, this is a reasonable moment to price up a replacement from a vendor with a clearer track record on patching. Backdoors that ship from the factory, whether left in by mistake or by design, are the kind of finding that rarely turns out to be a one-off.

© 2026 Threat Vectr