Several Tenda routers contain an undocumented login mechanism that can grant full administrative access without the owner’s username or password.

The vulnerability is tracked as CVE-2026-11405. CERT/CC disclosed it on July 6 after finding the hidden authentication path in multiple versions of Tenda firmware. Tenda had not responded to CERT/CC or released a patch as of the disclosure.

What was found

Tenda routers provide a web dashboard where owners can change Wi-Fi passwords, configure network settings, install firmware updates, and manage connected devices.

On the affected routers, the login process first checks the username and password normally. When that check fails, the software retrieves a separate password stored inside the router’s configuration.

If the submitted password matches that hidden value, the router creates a full administrator session. The username does not matter.

This login path is not documented and does not appear anywhere in the normal administrative interface. Changing the router’s regular administrator password does not remove it because the hidden password is checked separately.

CERT/CC has confirmed the following affected firmware versions:

FH1201: US_FH1201V1.0BR_V1.2.0.14(408)_EN_TD

W15E: US_W15EV1.0br_V15.11.0.5(1068_1567_841)_EN_TDE

AC10: US_AC10V1.0re_V15.03.06.46_multi_TDE01

AC5: US_AC5V1.0RTL_V15.03.06.48_multi_TDE01

AC6 V2: US_AC6V2.0RTL_V15.03.06.51_multi_T

These are exact firmware builds. Owning one of the listed router families does not automatically confirm that your device is running the vulnerable version, but it is reason enough to check.

Why router access matters

Your router controls the connection between your devices and the internet.

An attacker with administrator access could change network settings, disable security features, interfere with connected devices, or redirect traffic through infrastructure they control. A compromised router can also give an attacker a better position for targeting computers, phones, cameras, smart-home devices, and business equipment on the local network.

The immediate risk depends on who can reach the router’s management page.

Remote management allows the dashboard to be accessed from outside the home or office. If that feature is enabled, an attacker may be able to attempt the hidden login over the internet.

Disabling remote management limits exposure to devices already connected to the local network. That still leaves risk from infected computers, untrusted guests, poorly secured smart devices, or anyone with Wi-Fi access.

Changing your password is not enough

This vulnerability exists inside the firmware’s authentication code.

Changing the administrator password will protect the normal login path, but the router will continue checking the hidden password after an unsuccessful login. A factory reset also leaves the affected firmware installed.

CERT/CC has not published the hidden password. Security through secrecy should not be treated as protection. Anyone capable of obtaining and reverse-engineering the firmware may be able to recover the same value.

What owners should do

First, identify your router’s exact model and firmware version. You can usually find the model on a label attached to the router. The firmware version should appear inside the Tenda app or the router’s web dashboard.

Compare the full firmware string with the affected versions listed above. Similar numbers are not enough. Check the complete version.

Next, disable remote web management. The setting may be listed under administration, remote management, web access, or system settings. CERT/CC specifically recommends disabling this feature to prevent access from external networks.

Owners should also keep untrusted devices off the primary network. Place guests and smart-home equipment on a guest network when the router supports it. This reduces the number of devices that can reach the administrative interface.

Check Tenda’s support page for a firmware update, but verify that the update explicitly addresses CVE-2026-11405. A newer version number alone does not confirm that the hidden authentication mechanism has been removed.

At the time of disclosure, no patch was available and Tenda had provided no vendor statement. CERT/CC listed the vendor’s status as unknown.

For a confirmed affected device, replacement is the safest option until Tenda provides a verified fix. This is especially important for small businesses, remote workers, and anyone using the router to protect cameras, storage devices, work computers, or other sensitive systems.

The useful takeaway

A strong Wi-Fi password cannot protect a router that contains a second, hidden administrator password.

Check the model and firmware. Disable remote management. Replace confirmed affected hardware when no verified patch is available.

Keep Reading