Active Exploitation Alert: Hidden Admin Backdoor (CVE-2026-11405) in Tenda Router Firmware Enables Unauthenticated Remote Access

Active Exploitation Alert: Hidden Admin Backdoor (CVE-2026-11405) in Tenda Router Firmware Enables Unauthenticated Remote Access

Executive Summary

The CERT/CC has issued a critical advisory regarding a hidden administrative backdoor in multiple Tenda router firmware versions, tracked as CVE-2026-11405. This vulnerability enables unauthenticated attackers to gain full administrative control over affected devices via the web management interface, bypassing standard authentication mechanisms. The flaw is present in the /bin/httpd binary and leverages an undocumented password field, allowing adversaries to escalate privileges and compromise network security. No official patch is available at the time of writing, and public proof-of-concept code has accelerated exploitation attempts. Organizations using affected Tenda routers are at significant risk and should implement immediate mitigations.

Technical Information

The vulnerability, CVE-2026-11405, resides in the web server component (/bin/httpd) of several Tenda router models. The login() function, responsible for authenticating users, contains a logic flaw: if the standard MD5-based authentication fails, the function retrieves an alternate password from the device configuration using GetValue("sys.rzadmin.password"). If the supplied password matches this hidden value, any username is accepted, and the user is granted administrative privileges (role=2). This bypass is not documented in any official Tenda materials and is invisible to standard administrative interfaces.

The impact of this vulnerability is severe. Attackers exploiting this backdoor can reconfigure the device, alter network settings, disable security features, and potentially pivot to compromise the entire local network. The attack surface is further widened by the presence of a public Nmap NSE script (tenda-backdoor.nse) that automates detection and exploitation via UDP port 7329. Community reports and technical analyses confirm that automated scanners are actively probing for vulnerable devices, and there is evidence of routers contacting suspicious external IP addresses and storing unexplained files.

The vulnerability is mapped to several MITRE ATT&CK techniques, including T1078 (Valid Accounts), T1046 (Network Service Scanning), and T1190 (Exploit Public-Facing Application). While no specific APT group attribution has been made, router backdoors are frequently leveraged by advanced threat actors for initial access and persistence.

Exploitation in the Wild

Although CVE-2026-11405 is not currently listed in the CISA Known Exploited Vulnerabilities (KEV) catalog, multiple independent advisories and community reports confirm that exploitation is occurring in the wild. Publicly available proof-of-concept code, such as the Nmap NSE script, has enabled both opportunistic and targeted attackers to scan for and compromise vulnerable Tenda routers. Observed attack patterns include interception of credentials, session hijacking, and the deployment of unauthorized files on affected devices. Automated scanning activity targeting UDP port 7329 has been widely reported, and several organizations have detected outbound connections from compromised routers to suspicious external infrastructure.

APT Groups using this vulnerability

At the time of writing, there is no direct evidence attributing exploitation of CVE-2026-11405 to specific Advanced Persistent Threat (APT) groups. However, historical patterns indicate that router backdoors are commonly exploited by groups such as APT41 and other China-based actors for initial access, lateral movement, and persistence within target environments. The lack of attribution does not diminish the risk, as the availability of public exploit code significantly lowers the barrier for both sophisticated and less-skilled adversaries.

Affected Product Versions

The following Tenda router models and firmware versions are confirmed to be affected by CVE-2026-11405:

US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD, US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE, US_AC10V1.0re_V15.03.06.46_multi_TDE01, US_AC5V1.0RTL_V15.03.06.48_multi_TDE01, US_AC6V2.0RTL_V15.03.06.51_multi_T, Tenda F3 (300Mbps Wireless Router), Tenda N300 (Easy Setup Router), and firmware versions V12.01.01.48, V12.01.01.42, V12.01.01.23, V12.01.01.53, and V03.03.01.40. Additional models may also be vulnerable if running similar firmware builds.

Workaround and Mitigation

No official patch is available from Tenda as of this advisory. The following mitigations are strongly recommended:

Disable remote web management on all affected Tenda routers, restrict local network exposure by changing default LAN IPs and segmenting management interfaces, monitor for unauthorized access attempts to the web interface and UDP port 7329, update firmware immediately if and when a patch is released via the Tenda official support portal, and replace affected devices if mitigation is not feasible. Organizations should also review router configurations for the presence of the sys.rzadmin.password field and monitor for unexplained files or outbound connections to suspicious IP addresses.

Indicators of Compromise

The following indicators are extracted from public advisories and community reports. These are point-in-time observations and should be validated in your environment before enforcement.

Type

Indicator

Reported (date)

Source

 

Firmware

03[.]03[.]01[.]40

2026-02

LinkedIn Security Alert

Firmware

12[.]01[.]01[.]23

2026-02

LinkedIn Security Alert

Firmware

12[.]01[.]01[.]42

2026-02

LinkedIn Security Alert

Firmware

12[.]01[.]01[.]48

2026-02

LinkedIn Security Alert

Firmware

12[.]01[.]01[.]53

2026-02

LinkedIn Security Alert

Network Port

UDP/7329

2026-02

CERT/CC, GitHub PoC, Reddit Community Report

Config Key

sys.rzadmin.password

2026-02

CERT/CC, devttys0 Technical Analysis

No public IP addresses, domains, or file hashes were available at the time of writing.

References

CERT/CC VU#213560, CVE-2026-11405, CERT-In Advisory CIVN-2026-0004, GitHub PoC Script, LinkedIn Security Alert, Reddit Community Report, devttys0 Technical Analysis

Rescana is here for you

Rescana empowers organizations to proactively manage third-party risk and supply chain security with our advanced TPRM platform. Our continuous monitoring, automated risk assessment, and actionable intelligence help you stay ahead of emerging threats and regulatory requirements. We are committed to supporting your cybersecurity resilience and are happy to answer any questions at info@rescana.com.