Ghid independent privind Regulamentul (UE) 2024/2847 · Statut: în vigoare
Această pagină este o traducere automată (IA) și nu a fost revizuită de o persoană. Articolele de blog sunt disponibile numai în limba engleză.
← All news
Verificare rapidă13 July 2026

Fast Check: After CERT/CC's 6 July 2026 Tenda Backdoor Warning, Home Routers Fall Under the CRA's Class I Rules

Fast Check: After CERT/CC's 6 July 2026 Tenda Backdoor Warning, Home Routers Fall Under the CRA's Class I Rules

On 6 July 2026, the CERT Coordination Center (CERT/CC) published Vulnerability Note VU#213560: several firmware versions shipped by the Chinese network equipment maker Tenda contain an undocumented authentication backdoor, tracked as CVE-2026-11405, that grants full administrative access to the routers' web interface. CERT/CC says it could not reach the vendor, so there is no patch, only workarounds. This Fast Check asks the obvious question: if a device like this is sold into the EU, what does the Actul privind reziliența cibernetică have to say about it?

What CERT/CC found

The backdoor sits in the login() function of the routers' web server binary. If normal MD5-based password verification fails, the firmware quietly retrieves an alternate password from an internal configuration value (sys.rzadmin.password) and compares it in plaintext to whatever the user typed. A match grants administrator access, whatever username was entered, and the mechanism is invisible in every administrative interface. CERT/CC lists five affected firmware versions across the FH1201, W15E, AC10, AC5 and AC6 families. Tenda was notified on 19 May 2026 and had not responded by publication. The only mitigations offered are disabling remote web management and changing the default LAN IP address.

Where a home router sits in the CRA

The CRA sorts products with digital elements into a default tier, important products (Annex III) and critic products (Annex IV). Routers are named explicitly: Annex III, Class I, lists routers, modems intended for the connection to the internet, and switches. Class I is the lower of the two Annex III bands, but it still comes with strings attached. Under Article 32, a Class I product may only use the light internal-control route (module A) if the manufacturer applies harmonised standards, common specifications or a European cybersecurity certification scheme covering the essential requirements. Otherwise it needs EU-type examination plus conformity to type (modules B and C), full quality assurance (module H) or certification. You can check any device against the tiers with our classification tool or run the full Verificare rapidă yourself.

A hidden backdoor fails the essential requirements by design

Annex I, Part I of the CRA requires that products be made available without known exploitable vulnerabilities and that they ensure protection from unauthorised access by appropriate control mechanisms, including authentication. An undocumented alternate password that bypasses the configured administrator credentials defeats the authentication mechanism itself. This is not a bug that slipped through testing; it is a design choice. Under the CRA, a product in this state could not lawfully carry the CE marking, and market surveillance authorities could require corrective action, withdrawal or recall.

An unreachable vendor is its own compliance failure

The second half of the story matters as much as the backdoor. CERT/CC tried for seven weeks and could not coordinate with Tenda. Under Article 13(17), a manufacturer must designate a single point of contact so that users and researchers can reach it, including to report vulnerabilities, and Annex I, Part II requires a coordinated vulnerability disclosure policy and effective vulnerability handling for the duration of the support period. A manufacturer that cannot be reached at all would fail these obligations outright. And because Tenda is a third-country manufacturer, the CRA also puts duties on the supply chain: under Articles 19 and 20, importers and distributors may not place or make available products they have reason to believe do not conform, and must inform the manufacturer and, where there is a significant cybersecurity risk, the authorities.

Status at publication, 13 July 2026

The CRA's reporting obligations start on 11 septembrie 2026, when manufacturers must report actively exploited vulnerabilities within 24 hours via ENISA's Single Reporting Platform. That platform is not yet live; ENISA has scheduled it to be operational by 11 September 2026. No CRA harmonised standard has yet been cited in the Official Journal, so the Article 27 presumption of conformity, and with it the self-assessment route for Class I routers, is not yet available in practice. The CRA's full obligations apply from 11 December 2027.

What this means for router makers and buyers

For makers, the lesson is blunt: any undocumented access mechanism is a liability that the CRA converts into a market-access problem. Audit your own firmware for legacy debug and support accounts now, stand up a reachable vulnerability contact point, and document the support period. For buyers and EU importers, vendor responsiveness is now a compliance signal, not just a service-quality one. A vendor that ignores a CERT/CC notification for seven weeks today is a vendor whose products will struggle to stay on the EU market after 11 December 2027. Until a patch exists, affected Tenda owners should disable remote management and treat the device as untrusted.

Published 13 July 2026 · Fast Check · Routers. Part of the CRA insights blog on cyberresilienceact.eu.