The CERT Coordination Center (CERT/CC) has issued a warning about an undocumented authentication backdoor embedded in multiple versions of firmware from Chinese network device manufacturer Tenda. Tracked as CVE-2026-11405, this vulnerability allows remote attackers to bypass password verification and gain full administrative control over the devices' web management interfaces.

The flaw resides in the firmware's authentication mechanism, which fails to properly validate user credentials under certain conditions. CERT/CC noted that the backdoor is not documented in any official release notes or security advisories from the vendor, raising concerns about its origin and purpose. The vulnerability is rated high severity, though no CVSS score was explicitly provided in the advisory.

Attackers can exploit CVE-2026-11405 by sending specially crafted requests to the router's web interface, effectively circumventing the login process altogether. No authentication tokens or prior network access are required, making this a significant threat for exposed devices. Indicators of compromise may include unauthorized configuration changes or persistent admin sessions.

To date, Tenda has not released a patch or official statement addressing the vulnerability. CERT/CC recommends that users disable remote web management access and restrict administrative interfaces to trusted local networks as interim mitigation measures. Affected firmware versions have not been publicly enumerated, complicating efforts to identify vulnerable devices.

The discovery adds to a growing list of documented backdoors in consumer-grade networking equipment, where vendors have been criticized for inadequate supply chain security and transparency. The attack surface is substantial, given Tenda's widespread deployment in home and small office environments globally.