July 7, 2026
Router password? More like trapdoor
Tenda firmware (multiple versions) contains hidden authentication backdoor
Secret router master key sparks outrage, jokes, and a very loud "of course it did"
TLDR: Several Tenda routers reportedly contain a hidden admin password path that can let outsiders take over the device, and there’s no patch yet. Commenters swung between fury, cynicism, and jokes, with the biggest gasp coming from claims the secret password may be laughably simple: "rzadmin."
The actual security issue is bad enough: several Tenda routers appear to have a hidden "let me in" password that can hand over full control of the device’s settings, even if the real admin password is different. In plain English, that means someone who reaches the router’s login page could potentially walk right into the control room, change internet settings, weaken protections, and make life miserable for everyone on that network. There’s no fix yet, and the report says the vendor couldn’t be reached, which only turned up the community’s panic meter.
But the comments? Absolutely on fire. The loudest reaction was the classic mix of anger and weary resignation: one poster basically went, another company shipping a product with a backdoor, what a shock. That instantly set the mood: distrust, eye-rolling, and a lot of “this is why I don’t trust cheap networking gear” energy. Others went straight for comedy, with one quipping, “Up and out the back door, any 'ol time,” turning a serious flaw into a grim little singalong.
Then came the sleuthing. One commenter dug up an older 2022 writeup and dropped the spoiler that the mystery backup password may simply be "rzadmin" — a reveal that made the whole thing feel less like a sophisticated secret and more like somebody hid the house key under a doormat labeled “KEY.” Another thread of drama centered on who Tenda even is, with commenters wondering whether it’s one of those brands people own without realizing it. The vibe: half cybersecurity warning, half roast session.
Key Points
- •Multiple Tenda firmware versions contain an undocumented authentication backdoor tracked as CVE-2026-11405.
- •The backdoor is located in the /bin/httpd web server binary’s login() function.
- •If standard MD5-based authentication fails, the firmware retrieves an alternate password from sys.rzadmin.password and compares it in plaintext.
- •The username is not validated in the backdoor path, so any username can succeed if the alternate password matches.
- •No patch was available at publication time, and the article recommended disabling remote management and reducing local network exposure as mitigations.