CVE-2026-11405
Tenda · firmware
A hidden backdoor in Tenda firmware's /bin/httpd login() function allows unauthenticated attackers to bypass authentication and gain full administrative control.
Executive summary
A critical, actively exploited backdoor in Tenda firmware allows unauthenticated attackers to gain full administrative control over affected networking devices.
Vulnerability
The web server binary /bin/httpd contains an undocumented backdoor in the login() function that permits full administrative access by bypassing standard password verification. This allows unauthenticated remote attackers to authenticate with any username and a specific backdoor password.
Business impact
This vulnerability carries a CVSS score of 9.8 (Critical), reflecting the ease of exploitation and the total compromise of device integrity. Attackers can reconfigure network settings, intercept traffic, or disable security features, leading to a complete compromise of the local network and severe reputational and data security risks.
Remediation
Immediate Action: Disconnect affected devices from the internet immediately. Consult the vendor advisory at https://kb.cert.org/vuls/id/213560 for the latest guidance or firmware replacement instructions.
Proactive Monitoring: Review device logs for unauthorized administrative logins and inspect network traffic for anomalous patterns or unauthorized file deployments.
Compensating Controls: Implement strict firewall rules to prevent external access to the web administration interface of Tenda devices.
Exploitation status
Public Exploit Available: true
Analyst recommendation
Due to active exploitation in the wild and the severity of the backdoor, this vulnerability presents an immediate danger to network infrastructure. If a patch is not yet available, affected devices should be isolated from all untrusted networks until a secure configuration or update can be applied.