Skip to main content
TechnologyJul 9, 2026· 2 min read

Red Alert for Wi-Fi: These 5 Tenda Routers are Vulnerable, No Patch Coming

Red Alert for Wi-Fi: These 5 Tenda Routers are Vulnerable, No Patch Coming

The CERT Coordination Center (CERT/CC), the cybersecurity center associated with the Software Engineering Institute at Carnegie Mellon University and supported by the U.S. government, has disclosed a vulnerability that grants full administrative control over several Tenda routers. The vulnerability, classified as CVE-2026-11405, is an undocumented authentication backdoor embedded in the firmware: it bypasses the normal login procedure and opens the web management interface of the devices without needing any valid credentials.

The CERT/CC advisory lists five affected firmware versions, distributed across the models FH1201, W15E, AC10, AC5, and AC6. The document, which attributes the discovery to an anonymous researcher, specifies that the list is not necessarily exhaustive: it only covers the builds that have actually been analyzed, in the absence of confirmation from the manufacturer about the actual extent of the problem.

The flaw is embedded in the integrated web server of the routers, within the binary /bin/httpd. The login routine works normally at first, verifying the administrator password with an MD5-based check. However, if the verification fails, the firmware silently takes an undocumented second path: it retrieves an alternative value stored in the configuration key sys.rzadmin.password and compares it to the password entered by the user using the standard C library function strcmp().

No Patch, No Response from Tenda

If the password matches, the system instantly creates an administrative session with full privileges. The username is never checked; it is enough to know the hidden password, regardless of which username is entered, to completely bypass the administrator account configured by the router's owner.

CERT/CC has not made the hidden password public, but the mere existence of a second authentication path, parallel and invisible, undermines the security model of the affected devices. This is not an implementation error in the existing login logic, but a separate access with credentials that do not appear anywhere in the management interface. Whether it was inserted intentionally or forgotten during some development phase remains an unknown: CERT/CC does not speculate on intentions, and Tenda's silence does not help clarify the situation.

Those exploiting the vulnerability gain full control of the router's configuration: they can change DNS servers to redirect network traffic, disable active security protections, replace administrative credentials, or enable additional remote access features. Being the mandatory pass-through point between local network devices and the internet, a compromised router exposes everything connected to it to attack.

While waiting for an official firmware update, CERT/CC recommends disabling remote web management to prevent the administrative interface from being reachable from the internet. It also suggests limiting exposure on the local network: changing the default LAN IP address reduces detectability by automatic scanners but offers no protection against a targeted and informed attack.