Three stories on the table this week. A CERT advisory calls a hidden Tenda router login path an undocumented backdoor, but the credential has sat in the vendor's own documentation since 2019. A phishing kit called EvilTokens ships pages that don't exist until a victim's browser builds them. And CISA turned Anthropic's Mythos model loose on the government's own code, while the two sides are still negotiating who's allowed to run it. Here's what stood out from the operator chair.
CERT called it a new backdoor. Tenda's own documentation called it a feature back in 2019. CERT/CC's advisory on CVE-2026-11405 warns that several Tenda router builds will accept a hidden password if the real one fails, no patch, no reply from the vendor. In addition to our crew's commentary, we were joined by special guest Matt Evans, an IoT security researcher who has been sitting on this exact credential for years, documented in Tenda's own user guide since 2019 and written up again in 2022. The real undocumented backdoor sits one screen over: unchangeable guest/guest credentials that also grant admin. Nobody's chasing bugs like this because nobody can afford to. ZDI and SSD Disclosure list Tenda out of scope; paying bounty rates on a vendor closing in on 2,000 CVEs in four years would bankrupt a program. A known-bad vendor gets to age quietly out of view until a fresh CVE number turns the same bug back into news.
Nothing shows up in a scanner for a phishing page that doesn't exist yet. Researchers are tracking EvilTokens, a phishing-as-a-service kit that ships victims an empty, encrypted page; only a real browser's JavaScript decrypts the actual Microsoft device-code login flow underneath. The victim never hands over a password. They complete a genuine Microsoft sign-in and, without realizing it, authorize the attacker's session instead of their own. That's a stolen token, not a stolen credential, running on a clock instead of forever. What that window is worth depends on how far an org's single sign-on reaches: a firm wired deep into Azure and a dozen SaaS tools hands over far more than a hospital on a separate card-swipe network. The kit is clever, but the move underneath it is old: find the widest blast radius and go there first.
Handing your own code to the same model an attacker could use doesn't close the gap between them, it just moves the race faster. Reuters reports CISA's Attack Surface Evaluation team is running Anthropic's Mythos model against government code and has already turned up a large number of vulnerabilities, even while Anthropic and the White House are still negotiating who gets to run the model at all. Faster bug-finding on defense sounds like a win, but it doesn't touch the asymmetry underneath: an attacker needs one open door, a defender has to lock every one and keep it locked. There's a governance question here too: a vendor labeled a supply-chain risk one quarter and auditing government code the next is a policy statement with no stated penalty, and policies without enforcement get priced in, not respected. Better tooling raises the floor. It doesn't touch the part of the job that was always hardest: deciding what to fix first.
Subscribe to our PODCAST
Real talk on the threats, trends, and tactics shaping security today
Recommened Resources