Several versions of Tenda router firmware contain a hidden authentication backdoor that allows attackers to bypass password verification and gain full administrative access, according to a vulnerability note published on July 6 by the CERT Coordination Center at Carnegie Mellon University. The flaw, tracked as CVE-2026-11405, affects multiple firmware versions including US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD and US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE.
The vulnerability enables unauthorized users to access the web management interface of affected Tenda devices without valid credentials. This backdoor is undocumented, meaning it was not disclosed by Tenda or visible to users. The CERT Coordination Center's report details that attackers exploiting this flaw can take full control of the devices, potentially compromising network security and user data.
This security issue is significant given Tenda's widespread use in consumer and small business networks. Backdoor vulnerabilities undermine trust in device security and can lead to broader network breaches. Similar firmware backdoors have previously resulted in large-scale attacks, highlighting the risks posed by undisclosed access methods in network hardware.
The CERT Coordination Center's advisory on July 6 provides a list of affected firmware versions and urges users to check their devices. Users are advised to update to patched firmware versions once available or apply recommended mitigations to protect their networks from exploitation.