A Hidden Admin Password (Backdoor) in Tenda Wi-Fi Routers: CVE-2026-11405, and There's No Patch
Multiple Tenda Wi-Fi routers ship with a hidden admin password (a backdoor): anyone who can reach the admin page can take the router over with no login (CVE-2026-11405). There is no vendor fix β here's how to check your model and protect yourself.
Table of contents
Multiple Tenda Wi-Fi routers ship with a hidden admin password (a backdoor): anyone who can reach the admin page can take the router over with no login (CVE-2026-11405). There is no vendor fix β here's how to check your model and protect yourself.
Several home and small-office Wi-Fi routers from the Chinese networking vendor Tenda ship with a hidden admin password β a backdoor β that lets anyone log in as administrator without knowing the real password. Tracked as CVE-2026-11405, the flaw lets an attacker send a fixed, built-in secret and take the router over. The U.S. CERT/CC published an advisory on July 6, 2026, and Japan's JVN (the country's public vulnerability-coordination desk) followed with an alert on July 7.
The awkward part: as of this article, there is no fix (firmware update) from the vendor. According to CERT/CC, the reporter notified Tenda on May 19, 2026, but Tenda gave no response and released no patch. That means users can't simply "update to fix it" β the only option is to change settings and defend yourself. Below: what an attacker can do, whether your router is affected, and the practical steps to take when there is no patch.
| Item | Detail |
|---|---|
| Affected | Tenda Wi-Fi routers / access points (FH1201, W15E, AC10, AC5, AC6 and more) |
| Flaw | CVE-2026-11405 (hidden functionality / backdoor) No login required, over the network |
| Worst case | Full admin takeover of the router (config tampering, traffic snooping, pivot to other devices) |
| Fix | None (not provided by the vendor) Self-defense via settings required |
| Exploitation | No real-world attacks or public proof-of-concept confirmed as of now |
* A "backdoor" is a hidden way into a device that bypasses normal authentication. Here it means a fixed secret built into the product from the start.
Who Is at Risk, and What Is the Damage?
The first to go after this are attackers who look for routers whose admin page they can reach β from the internet or from within Wi-Fi range. A router sits at the entrance to a home or shop's internet, and anyone who logs into its settings as administrator can bend almost all traffic passing through it. Because this flaw needs no valid password at all, an attacker who can reach the admin page gets in without even the effort of cracking a password.
What they do next is rewrite the router's settings to quietly steer your traffic to a destination of their choosing. A classic move is to swap the "DNS" setting β the directory that decides where your connections go β to lure you to fake sites that look just like the real ones. They can also use the router as a foothold into the PCs, phones, security cameras, and smart-home gear on your network, or enlist it into a botnet used to attack others.
The ones who suffer are the households and small shops or offices using the router. Routers are "set and forget" devices; many homes have never revisited the settings since the day they bought it. A takeover shows no warning on screen, so your traffic can be watched for a long time without anyone noticing. A router is the single road every device's internet travels down. Someone else holding that road is far weightier than one PC catching a virus.
What Tenda Is, and How It's Used
Tenda is a networking-equipment maker headquartered in Shenzhen, China. It sells low-cost Wi-Fi routers, range extenders, and switches worldwide, and it circulates in many markets as an affordable option β for a studio apartment, an extra unit to widen coverage, or a small shop's line. It's often chosen when someone wants to "get Wi-Fi up cheaply and quickly."
In many homes the mainstream choices are ISP-supplied gear or national brands like NEC's Aterm, but low-cost overseas routers like Tenda's are used in real numbers too. Especially when someone "just bought a cheap one without checking the model," "had a family member set it up," or "has kept using it for years," they may not even remember the brand. When the vendor issues no fix β as here β whether you even know the device exists is what decides your exposure.
What Is Actually Happening, Technically
Per CERT/CC's analysis, the problem is in the program that runs the router's admin page (/bin/httpd). When normal password verification fails, the program pulls a separate value it holds internally (an item called sys.rzadmin.password) and compares the input against it directly. If the input matches this hidden password, the login is granted as administrator no matter what the username is.
Notably, while normal passwords are checked after a cryptographic transform (a hash such as MD5), this hidden path compares the raw value with no transform at all. It looks like a "back door" a designer left in for maintenance or resets, which then shipped in the product. Japan's JVN classifies it as "hidden functionality with a security problem" (CWE-912). Because it needs no valid credentials and only requires being able to reach the admin page over the network, the severity is rated high.
Is Your Router Affected? (Model Quick Reference)
CERT/CC lists specific firmware on the following models. You can find the model on the label on the bottom or side of the router, or in the admin page's "system information." Even Tenda models not listed here could share the same design, so if you use a Tenda router, read the countermeasures section below.
| Model | Affected firmware (example) | Type |
|---|---|---|
| FH1201 | V1.2.0.14(408) | Wi-Fi router |
| W15E | V15.11.0.5(1068_1567_841) | Access point |
| AC10 | V15.03.06.46 | Wi-Fi router |
| AC5 | V15.03.06.48 | Wi-Fi router |
| AC6 | V15.03.06.51 | Wi-Fi router |
* These are example combinations CERT/CC confirmed. Notation varies by firmware, and other builds in the same line may also be affected.
When Does the Attack Work? (Where You Get Hit)
The attack works when the attacker can reach the router's admin page. It's worth being level-headed here. The admin page is not necessarily open to the outside (internet) by default; many home routers only expose it to the home network out of the box. So rather than the whole world taking over your router at once, the realistic entry points are these:
- If "remote management" is enabled. Exposing the admin page to the internet so you can configure it from outside means anyone, anywhere can target it. This is the most dangerous state.
- If someone gets onto the same Wi-Fi. A guest who knows the password, a third party who guessed or reused it, or an environment where many people connect (like open Wi-Fi) β any of these reaches the admin page from inside the network.
- If another device on your network is compromised. A PC or smart-home gadget infected with malware becomes a launch point to hit the admin page from the inside. Some techniques even use a web page you're viewing to operate internal devices.
As of now, no real-world attacks or public proof-of-concept (PoC) using this flaw have been confirmed. But a backdoor that needs no authentication pairs well with automated sweeps for exposed devices, so the bar to abuse is not high. Treat "no attacks observed yet" as different from "safe," and prepare accordingly.
With No Patch, What Should You Do Now?
Because there is no vendor fix, you can't close this by updating. On that basis, here are the practical steps to narrow the entry points, in order of impact.
1. Turn remote management OFF, without fail. Simply disabling access to the admin page from outside the home closes the most dangerous entrance β takeover across the internet. In Tenda's admin page, under "system" or "security" settings, confirm that remote management / WAN access is off. For most homes, this feature is unnecessary.
2. Harden your Wi-Fi and admin passwords. You can't change the hidden password itself, but keeping people off your Wi-Fi in the first place blocks the inside route. Make the Wi-Fi password long and complex, use a separate guest network for visitors, and check for connected devices you don't recognize.
3. Check for signs of takeover. Log into the admin page and confirm that the DNS settings haven't been changed to values you don't recognize, that no unfamiliar devices are listed, and that the admin password hasn't been altered. If anything looks off, handle it together with the reset in the next step.
4. If doubt remains, consider replacing it. This is the surest fix. Continuing to use a device the vendor won't patch means carrying an open back door indefinitely. If you run an affected model at your network's edge (the boundary with the internet), swapping to a router that still gets fixes and support is safer in the long run. When you buy, the broader picture of router security across vendors is worth weighing.
If you can't replace it right away, a stopgap is to move the affected router off the network edge and run it behind a properly managed router (on the LAN side), with admin access tightly restricted. Either way, "just wait for a fix" is not a strategy that works here.
FAQ
I'm not sure if my router is a Tenda. Where do I look?
The label on the bottom or side of the router shows the maker (Tenda) and model (FH1201, AC10, etc.). If it's ISP-supplied gear or a national-brand device, it's not affected here. Once you know the model, compare it against the quick-reference table above.
When will fixed firmware arrive?
As of this article, no fix from Tenda has been released. Per CERT/CC, the reporter notified Tenda on May 19, 2026, but got no response. A fix may come later, but the back door stays open while you wait. Do the self-defense steps above regardless of whether a patch appears.
Is it already being exploited?
No real-world attacks or public PoC using this flaw have been confirmed as of now. But an authentication-free back door is easy to abuse, so don't get complacent. Devices with remote management enabled are especially likely to be swept by automation after disclosure, so prioritize reviewing those settings.
Is turning off remote management completely safe?
It closes the most dangerous entrance β takeover over the internet β but the inside routes remain: someone getting onto your Wi-Fi, or another device on your network being compromised. Build on remote-management-off with stronger Wi-Fi passwords and device checks, and consider replacing models you remain uneasy about.
Summary
Several Tenda Wi-Fi routers were found to contain a hidden password (CVE-2026-11405) that logs you in as administrator with no valid password. A takeover can lead to traffic snooping, redirection to fake sites, and a foothold into other devices on your network. A router is the single road all your home's traffic travels down, and someone else holding it is no small thing.
The biggest problem is that there is no vendor fix. Since you can't repair it by updating, the realistic answer is self-defense: turn off remote management, harden your Wi-Fi and inspect the device, and replace it if you're uneasy. Routers tend to become "set it and forget it" appliances, but take this chance to check which maker's device β and how old β sits at your network's entrance. Router safety is kept by the steady habit of revisiting it. It's also worth keeping an eye on the risks in everyday gear, like the flaws found in popular home Wi-Fi routers.
References

Makoto Horikawa
Backend Engineer / AWS / Django