Tendvane

← All articles

NetworkJuly 13, 2026

Some Tenda routers have a hidden backdoor with no fix - here's how to lock yours down

There's a hidden door in some Tenda routers, and right now there's no lock for it. On July 7 the CERT Coordination Center at Carnegie Mellon warned that several Tenda models ship with an undocumented backdoor password built into the firmware - anyone who knows it can sign into the router's admin panel and take full control, no matter what password you've set. It's tracked as CVE-2026-11405, and so far Tenda hasn't shipped a fix or even responded.

The models named so far are the budget-friendly FH1201, W15E, AC10, AC5 and AC6 - the kind of inexpensive routers sold widely online and sometimes handed out by smaller providers. Researchers found the flaw in the router's built-in web server: when a normal login fails, the code quietly checks a second, secret password and hands over administrator access if it matches.

Nobody has confirmed mass attacks yet, but proof-of-concept code is already public, and internet-facing routers are exactly what botnets go hunting for. Until Tenda patches this - if it ever does - the sensible step is to turn off remote management (sometimes called remote web access or WAN management) in your router settings, so the admin page can't be reached from the internet at all. If your model is already out of support, the honest answer is to plan a replacement; a backdoor with no patch isn't something you can wait out.

Not sure what's even on your network? Tendvane's Network scan lists every device with its maker and the services it's exposing, so you can find your router and see what's reachable before you log in and shut the door.

Sources

Download Tendvane