{"vulnerability": "CVE-2026-11405", "sightings": [{"uuid": "2b39510d-ee25-48cf-ba9c-e011bcf256bd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/securityonline.bsky.social/post/3mpzrjkh5ga2f", "content": "CVE-2026-11405 is a Tenda authentication backdoor. It allows full administrative access without valid credentials. Protect your network with these steps.\n\n#CVE202611405 #Tenda #AuthenticationBackdoor #CyberSecurity #RouterSecurity", "creation_timestamp": "2026-07-07T04:31:58.731845Z"}, {"uuid": "038f68fc-5a5f-4b90-b9c8-b034049bff56", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/potato.software/post/3mpzrjlnff724", "content": "CVE-2026-11405 is a Tenda authentication backdoor. It allows full administrative access without valid credentials. Protect your network with these steps.\n\n#CVE202611405 #Tenda #AuthenticationBackdoor #PotatoSecurity #RouterSecurity", "creation_timestamp": "2026-07-07T04:31:59.291714Z"}, {"uuid": "67f2251c-4909-4aa7-9746-42aa18f1e903", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/infosecbriefly.bsky.social/post/3mq25znx2ja2y", "content": "Undocumented firmware backdoor bypasses password checks, granting full admin access to Tenda web management interfaces via CVE-2026-11405.\n", "creation_timestamp": "2026-07-07T08:15:44.765430Z"}, {"uuid": "d86a147a-32d6-49c4-ac22-ee421c28f6ec", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mq2ajl2rwx2f", "content": "CERT/CC reports CVE-2026-11405 in several Tenda firmware versions: an undocumented admin backdoor lets attackers bypass password checks and gain full web management access. #Tenda #CERTCC #CVE202611405", "creation_timestamp": "2026-07-07T09:00:26.211318Z"}, {"uuid": "69404a25-bfd6-4a73-9292-8e43a780f6b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/newssecia.bsky.social/post/3mq2cppdfxl2b", "content": "\ud83e\udd16 CVE-2026-11405: Hidden admin backdoor in Tenda router firmware. CERT/CC warns undocumented auth bypass grants full admin access, no authentication required.\nhttps://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html", "creation_timestamp": "2026-07-07T09:39:37.953637Z"}, {"uuid": "fd4458bd-8b09-43c6-9be0-ac69ac217d0b", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "af0120d0-3dac-4a6a-974b-a9f33d2a9846", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html", "content": "", "creation_timestamp": "2026-07-07T09:47:19.524240Z"}, {"uuid": "59e6667d-cccd-469d-b47d-bb3d2e46c3ef", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-11405", "type": "seen", "source": "https://infosec.exchange/users/DarkWebInformer/statuses/116879305053736895", "content": "\u203c\ufe0f New Dark Web Informer Blog Post!\nTitle: When the Password Check Fails, You're In: The Hidden Admin Backdoor in Tenda Router Firmware (CVE-2026-11405)\nLink: https://darkwebinformer.com/when-the-password-check-fails-youre-in-the-hidden-admin-backdoor-in-tenda-router-firmware-cve-2026-11405/", "creation_timestamp": "2026-07-07T15:04:22.054924Z"}, {"uuid": "12f33d1a-9677-4456-880e-c2fc52dc7fbd", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/hendryadrian.bsky.social/post/3mq3ekurolb2s", "content": "Hidden backdoor in Tenda router firmware can grant admin access after a failed login, using a special plaintext password. CVE-2026-11405 affects multiple models. #Tenda #CVE202611405 #CERTCC", "creation_timestamp": "2026-07-07T19:45:23.481822Z"}, {"uuid": "a933d473-7626-460a-8cfd-1986f768240a", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/iberianm.bsky.social/post/3mq3ffmr5dj22", "content": "Tenda router firmware: CERT/CC warns of hidden admin backdoor (CVE-2026-11405). Check your model/firmware for affected versions and update imm\u2026 #Cybersecurity #Vulnerability #IdentitySecurity\n\nSource: https://threatbeat.com/adversaries/cert-cc-warns-of-hidden-admin-backdoor-in-tenda-router-firmware/", "creation_timestamp": "2026-07-07T20:00:21.956184Z"}, {"uuid": "842edad1-bbec-4739-8ec3-38842b8239b7", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html", "content": "Several versions of firmware released by Chinese network device manufacturer Tenda have been found to embed an undocumented authentication backdoor that enables administrative access to the devices' web management interfaces, the CERT Coordination Center (CERT/CC) warned Monday.\n\n\"An attacker can exploit this vulnerability, tracked as CVE-2026-11405, to bypass the password verification process", "creation_timestamp": "2026-07-08T01:00:53.958215Z"}, {"uuid": "3f663e74-137d-4bcd-b7fc-2d5475fbf558", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-11405", "type": "seen", "source": "https://bsky.app/profile/ahmandonk.bsky.social/post/3mq43qk72d62d", "content": "\ud83d\udcf0 Backdoor Tersembunyi Ditemukan di Firmware Router Tenda, Bisa Berikan Akses Admin Tanpa Kredensial\n\n\ud83d\udc49 Baca artikel lengkap di sini: https://ahmandonk.com/2026/07/08/backdoor-firmware-router-tenda-cve-2026-11405/\n\n#cve #cve-2026-11405 #cybersecurity #firmware #jaringan #keamananSiber #network", "creation_timestamp": "2026-07-08T02:40:09.374763Z"}, {"uuid": "f7e41a2e-1cb8-4be7-be04-771820b71313", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/iberianm.bsky.social/post/3mq4a7we3t42s", "content": "Tenda router firmware has an undocumented admin backdoor (CVE-2026-11405) in some releases. Check for affected firmware and update to fixed versions. #Cybersecurity #Vulnerability #IdentitySecurity\n\nSource: https://thehackernews.com/2026/07/certcc-warns-of-hidden-admin-backdoor.html", "creation_timestamp": "2026-07-08T04:00:20.966186Z"}, {"uuid": "78f12940-de58-43fd-9cf7-8ec16d49e60d", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/hn-frontpage-bot.bsky.social/post/3mq4faxiw3n2s", "content": "Multiple Tenda router models contain an undocumented authentication backdoor, tracked as CVE-2026-11405, allowing attackers to bypass password checks for full administrative access. As no patch exists, users should disable remote management to mitigate risks.", "creation_timestamp": "2026-07-08T05:30:23.890232Z"}, {"uuid": "1af6fd99-29d5-428a-b8bc-b3eafe849c77", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/pixelsandpulse.bsky.social/post/3mq4yiik34i2x", "content": "Heads up, Tenda router users! A critical firmware flaw (CVE-2026-11405) acts as a hardcoded backdoor, granting full admin access to anyone with the secret password. Tenda is unresponsive, so you need to act: disable remote web\u2026\n\nhttps://www.tpp.blog/qbatp8a\n\n#cybersecurity #tenda #firmware", "creation_timestamp": "2026-07-08T11:14:38.784860Z"}, {"uuid": "82e8d91e-367b-403c-9659-ae491bf72a9c", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/stackflag.bsky.social/post/3mq5cc7qxcu2h", "content": "CVE-2026-11405 - firmware\nThe Apache HTTP Server has a hidden login backdoor that allows anyone to gain admin access by entering the correct password. This backdoor is not protected by a username, so any\u2026\n\nToo many irrelevant or confusing CVEs? Use stackflag.com\n\n#firmware #tenda #CVE #infosec", "creation_timestamp": "2026-07-08T14:10:04.757799Z"}, {"uuid": "6a330221-c7df-40a1-be15-806d3e8d097e", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/cerberusit.bsky.social/post/3mq73zxzrl72p", "content": "Today in patch management misery, we have CVE-2026-11405, a lovely unpatched backdoor in Tenda firmware that grants complete administrative control to any unauthenticated attacker who wanders by. This spectacular design flaw affects anyone trusting these specific network devices ...\n\nRead full story", "creation_timestamp": "2026-07-09T07:23:25.186419Z"}, {"uuid": "aca7e995-8986-4a83-ad3b-96c72732ade8", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/suriq.io/post/3mq7ae77djd2b", "content": "Five Tenda router models ship a hardcoded admin password that grants full control, any username, no login needed (CVE-2026-11405).\n\nCERT/CC confirmed it July 7. No patch, no vendor response.\n\nTurn off WAN management and plan a swap.", "creation_timestamp": "2026-07-09T08:40:43.694595Z"}, {"uuid": "d298f35c-1ac9-4d18-a133-8e57c13dc7b4", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2026-11405", "type": "seen", "source": "https://bsky.app/profile/geeknewsbot.bsky.social/post/3mqagcyobxu2l", "content": "Tenda \ud38c\uc6e8\uc5b4 \uc5ec\ub7ec \ubc84\uc804\uc5d0 \uc228\uaca8\uc9c4 \uc778\uc99d \ubc31\ub3c4\uc5b4 \ubc1c\uacac\n\n\uc77c\ubd80 Tenda \ub124\ud2b8\uc6cc\ud06c \uc7a5\ube44 \ud38c\uc6e8\uc5b4\uc5d0 \ubb38\uc11c\ud654\ub418\uc9c0 \uc54a\uc740 \uc778\uc99d \ubc31\ub3c4\uc5b4 \uac00 \uc788\uc5b4, \uc720\ud6a8\ud55c \uc790\uaca9 \uc99d\uba85 \uc5c6\uc774 \uc6f9 \uad00\ub9ac \uc778\ud130\ud398\uc774\uc2a4\uc758 \uad00\ub9ac\uc790 \uad8c\ud55c\uc744 \uc5bb\uc744 \uc218 \uc788\uc74c CVE-2026-11405 \ub294 \uc77c\ubc18 \ube44\ubc00\ubc88\ud638 \uac80\uc99d \uc2e4\ud328 \ub4a4 sys.rzadmin.password \uac12\uc744 \ub300\uccb4 \ube44\ubc00\ubc88\ud638\ucc98\ub7fc \ud655\uc778...", "creation_timestamp": "2026-07-09T20:00:06.702039Z"}, {"uuid": "27986258-1a24-4039-9a82-011b0048a5ad", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "cve-2026-11405", "type": "seen", "source": "https://poliverso.org/objects/0477a01e-afb81d93-790c92c1508d52d8", "content": "This Week in Security: Escaping Linux VMs, Vulnerable Solar, Confusing AI (Again), and Confusing NPM Malware\nThe Januscape vulnerability allows a user in a guest VM managed by the Linux Kernel Virtual Machine (KVM) to corrupt memory in the host system and break out of isolation.\nKVM virtualization is used by major hosting platforms like Amazon AWS, Google GCP, Digital Ocean, and many more. All of the shared hosting platforms count on virtualization to isolate untrusted guest systems from the physical hardware and each other; being able to corrupt memory for all guests or break isolation presents a major threat.\nThe bug report says the error has been present for 16 years, which is nearly the entire lifetime of the KVM subsystem in Linux. Fixes are available in mainline, and major hosting providers who count on KVM are likely already updating.\nVulnerabilities In Balcony Solar\nMicro solar, or \u201cbalcony solar\u201d, installs have been gaining traction in Europe as a way to offset rising electrical costs by connecting solar and battery systems to a house or apartment power system.\nVulnerabilities have been found in the popular Hoymiles micro-inverter, which uses a proprietary RF radio protocol to manage the devices. Unfortunately, it looks like this protocol has no encryption or authentication beyond validating the serial number, and the serial number is also available over a wireless probe command.\nArmed with a Nordic nRF radio researchers were able to discover nearby inverters in the wild and collect the serial numbers, though of course they stopped short of issuing commands to random users.\nThe wireless management control allows controlling the device power and output levels, as well as setting a lockout PIN, which the researchers suspect could be used to disable devices and lock the legitimate owners out completely.\nThere are an estimated 500,000 units in use, and currently the only known mitigation is to unplug the device entirely and disconnect the solar panels, though the team suggests that setting an anti-theft PIN may also help \u2013 or at least prevent an unknown PIN being set.\nBe sure to check out the link for an in-depth analysis of the protocol and the surprising lack of protection.\nOpenSSH 10.4\nOpenSSH 10.4 is out, bringing a handful of security fixes and new features.\nThe most interesting security fixes appear to be to file handling in the sftp and scp file transfer tools, a malicious remote server could cause the files to be downloaded to the wrong directories. Besides those, the security fixes seem relatively calm, making behavior more consistent when forwarding and tunneling options were in conflict, mitigating a potential denial of service, and cleaning up other behavior.\nOpenSSH 10.4 introduces some experimental support for additional post-quantum encryption standards, but beyond that seems to be a normal update.\nTenda Routers (may) Have Backdoor\nAccording to CVE-2026-11405, Tenda brand routers may have a deliberate backdoor in the web interface.\nThe vulnerability report claims that the httpd binary contains a fallback to a plaintext, hardcoded password that allows anything on the internal network to bypass authentication and reconfigure the router. This seems entirely plausible, based on issues found in other router firmwares, however additional reports raise doubts about the pervasiveness of the backdoor, or if it exists in all firmware versions.\nIf you have a Tenda brand router and are so inclined, now might be a great time to investigate OpenWRT or other alternate, updated firmware, but there\u2019s probably not a reason to panic just yet.\nTricking the GitHub Agent With Prompt Injection\nCan we go a week without discussing prompt injection in AI agents? Apparently the answer is no.\nNoma Labs reveals how they were able to use prompt injection against the GitHub support agent to reveal private repositories of an organization. Leveraging the GitHub Agentic Workflows that link workflows with AI agents, Noma Labs were able to file an issue in a public repository that exposed private repositories in the same organization.\nThe attack appears to be as simple as filing an issue in the public repo, and requesting the contents of files in both the public and private repo, which the agent happily provided. Not only did the AI agent provide the file content of private repos, but it put it in a public issue in the public repository!\nNoma Labs says in the writeup that GitHub had instituted guardrails to prevent an agent from accessing private repositories, but simply including the request to \u201cadditionally\u201d perform other tasks was sufficient to bypass. This makes GitHub the latest in a seemingly endless chain of AI agents happily helping bypass corporate security, and it doesn\u2019t seem like a trend that will slow down for a while.\nWindows Device Identifier Catches Ransomware Operator\nWindows installs contain a globally unique identifier generated during the initial install, which is used to track device behavior across Microsoft platforms. Toms Hardware reports that during an investigation of the \u201cScattered Spider\u201d ransomware group, Microsoft provided records tracking the GDID of one of the ransomware operators, allowing the identification and arrest of one of the groups members.\nScattered Spider has been responsible for millions of dollars in ransomware attacks globally, including high-profile ransomware attacks against major Las Vegas resorts, Qantas airlines, Visa, and hundreds of other companies.\nCourt documents reveal that following the arrest of one of the suspected members of the group, the Windows global ID was used to link other behavior across Azure, video games, and other telemetry.\nCISA reviews lessons learned\nMentioned here in May, the US government cybersecurity agency (CISA) suffered a disclosure of authentication tokens, cloud infrastructure, and plaintext passwords via a public GitHub repository named \u201cPrivate-CISA\u201d and operated by a contractor.\nCISA has published the results of their internal review. Unsurprisingly, as a large government agency, CISA essentially followed the playbook for dealing with incidents: identify the most critical issues and disable the access of the contractor who exposed credentials, determine the full scope of disclosed data, and terminate accounts, change passwords, and expire authentication tokens which were exposed.\nMore NPM malware packages\nOpensource Malware reports on additional infostealer malware uploaded to the NPM repository. Like most NPM-based malware, these packages rely on the install script mechanism to trigger arbitrary commands, firing immediately during package install with no additional interaction.\nAll of the malware packages mimic existing popular packages and depend on user typos or confusion to get selected. Once triggered, the malware collects a machine fingerprint, git user information, GitHub account information, SSH account information, and corporate identifiers. The packages are largely nonfunctional \u2013 the code in the package itself is irrelevant, once a victim triggers the install the malware payload is fired.\nAll of the packages were uploaded by the same source, tracked to the owner of a cybersecurity company. It is unclear if this is a misguided attempt to generate leads or hype, or if this is a research project gone wrong, but the payload of the malicious packages has been developed and tuned over time. For a company trying to build a reputation or trust, this is surely the wrong way to do it. \nhackaday.com/2026/07/10/this-w\u2026", "creation_timestamp": "2026-07-10T14:28:19.229540Z"}]}