- CERT/CC reveals CVE-2026-11405, a 9.8/10 critical flaw in multiple Tenda router families caused by a hard-coded backdoor credential
- Attackers can bypass normal login checks and gain full administrator access with the password hidden, regardless of the configured username or password.
- Tenda has not responded; CERT/CC recommends disabling remote web administration and limiting local exposure, although these are only partial mitigations.
Experts have discovered that several families of Tenda routers have a critical vulnerability that allows malicious actors to log in with administrator privileges without knowing the credentials.
The CERT Coordination Center revealed a vulnerability in Tenda routers that it described as an undocumented authentication backdoor caused by an encrypted credential.
The flaw is tracked as CVE-2026-11405 and was assigned a severity score of 9.8/10 (critical). CERT/CC reportedly attempted to contact the manufacturer, without success.
How vulnerability works
Explaining how it works, CERT/CC says that the attacker would first try to log in normally to the router’s web management interface. Even if the credentials are incorrect, the firmware will not automatically reject them, but will instead check a second hidden password, stored internally. If the attacker knows the hidden credential, he or she gains full administrator access, regardless of the configured administrator password or username.
The username doesn’t even matter as long as the password is provided. Obviously, CERT/CC didn’t say what the password was, but with a little reverse engineering of the firmware, it can be exposed on the dark web or to the general public.
Tenda is a Chinese company that makes inexpensive networking equipment popular primarily in India and adjacent markets, where its products are popular in homes and among small businesses.
Therefore, the flaw still affects multiple firmware versions, including the FH1201, W15E, AC10, AC5, and AC6 router families. To make matters worse, CERT/CC added that the full list of affected models is likely even longer.
Tenda has not yet commented on the findings. In the meantime, CERT/CC recommended users disable remote web administration, if possible, to ensure that the vulnerability cannot be exploited remotely, at least. The organization also suggests limiting the exposure of the local network, but emphasizes that this is not a completely secure solution.
Through Tom Hardware

The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to receive news, reviews and opinions from our experts in your feeds.




