Vulnerabilities

Unpatched Backdoor in Tenda Firmware Grants Admin Access to Devices

Tracked as CVE-2026-11405, the vulnerability allows unauthenticated attackers to access a device’s web management interface.

Router vulnerabilities

A security researcher has discovered an undocumented backdoor in multiple Tenda firmware versions that provides attackers with administrative access to a device’s web management interface.

The security hole appears to affect Tenda routers, switches, and other types of networking devices.

Tracked as CVE-2026-11405, the vulnerable code was found in the login function of the web server binary and can be abused for authentication bypass, warns the CERT Coordination Center (CERT/CC) at Carnegie Mellon University.

The issue exists because, when authentication fails, the login mechanism attempts to retrieve a password value stored in the device’s configuration.

Next, the mechanism checks only the user-supplied password against the value stored in the configuration, in plaintext, and grants administrative access upon a successful match.

“The associated username is not validated, so any provided username will succeed when paired with the backdoor password. This backdoor authentication mechanism is not documented or visible through any administrative interface,” CERT/CC explains.

Advertisement. Scroll to continue reading.

Successful exploitation of the security defect provides an attacker with the ability to modify device configurations and network settings, and to disable security features, which could lead to local network compromise.

CERT/CC says it was unable to coordinate with the vendor to disclose the security defect, and no patch has been released for it.

Users are advised to disable the remote web management of their devices to prevent unauthorized external access and to change the default LAN IP address to reduce the risk of discovery by automated scanners.

On Tuesday, CERT/CC also disclosed a missing authorization vulnerability in HP Deskjet 2800 series printers running firmware versions up to TBP1CN2612AR. The flaw has not been patched and is tracked as CVE-2026-13753.

An attacker can send GET requests to multiple backend API endpoints that, without authentication or session state validation, return admin configuration data such as Wi-Fi Direct SSID, plaintext passphrase, unique printer serial numbers, service IDs, and administrative password state details.

“This vulnerability allows unauthenticated access to the printer’s webserver API endpoints, exposing Wi-Fi credentials, management configuration details, and sensitive security data normally restricted to administrative users,” CERT/CC explains.

Related: CISA Urges Immediate Patching of Exploited ColdFusion, Langflow, Joomla Flaws

Related: Critical Vulnerability Exposes GitHub Agentic Workflows to Prompt Injection

Related: Critical Gitea Flaw Under Active Exploitation, Researchers Warn

Related: ‘DirtyClone’ Linux Kernel Vulnerability Leads to Root Access

Related Content

Artificial Intelligence

The "Rogue Agent" vulnerability could have enabled attackers to silently manipulate AI conversations, exfiltrate data, and compromise every Dialogflow CX agent within the same...

Artificial Intelligence

Researchers show how attackers can use a crafted public GitHub Issue to trick AI-powered workflows into exposing data from private repositories without authentication.

Vulnerabilities

Attackers are exploiting the critical Gitea vulnerability CVE-2026-20896 to bypass authentication with a single HTTP header and access vulnerable repositories and secrets.

Vulnerabilities

Hackers are exploiting a recently patched critical vulnerability (CVE-2026-48282) in Adobe ColdFusion that carries a CVSS score of 10/10.

Vulnerabilities

CISA says threat actors are exploiting a recently patched SharePoint remote code execution vulnerability (CVE-2026-45659).

Vulnerabilities

Fifteen of the newly patched flaws have been rated ‘critical’ and 67 have been rated ‘high severity’.

Vulnerabilities

The critical-severity defect allows unauthenticated attackers to take over the E-Business Suite’s Payments product.

Malware & Threats

The threat actor is focused on collecting credentials, SSH keys, cryptocurrency wallets, and development tooling.

Copyright © 2026 SecurityWeek ®, a Wired Business Media Publication. All Rights Reserved.

Exit mobile version