Public disclosure date: 2026-03-27
Researcher: Mina Nageh Salama Zekry
This public reference summarizes three CVEs affecting ZTE ZXHN / H-series router web interfaces. It is intended as a clean reference for CVE and NVD records, with the full technical write-ups routed through LinkedIn posts.
- CVE-2026-34472: technical write-up | PoC
- CVE-2026-34473: technical write-up | PoC
- CVE-2026-34474: technical write-up | PoC
Affected product: ZTE ZXHN H188A V6.0
Affected versions: V6.0.10P2_TE, V6.0.10P3N3_TE
Summary:
The pre-login wizard routing path accepts attacker-controlled _type and _tag values on root-path requests before the normal quick-setup gate is applied. This allows unauthenticated access to credential-bearing wizard handlers.
Impact:
WLAN, PPPoE, and administrator credential disclosure. On the validated H188A V6 path, the leaked Wi-Fi passphrase becomes the default administrator password when uppercased, turning the disclosure into administrative access.
Observed component / endpoint:
/?_type=tedataNotLoginData&_tag=wizard_lua.lua&IF_ACTION=...
References:
technical write-up | PoC
Affected products / models include:
H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, H196Q
Affected version scope:
Multiple firmware versions observed across affected H-series models, including versions in use prior to 2022.
Summary:
The router web stack processes attacker-controlled application/x-www-form-urlencoded POST bodies before authentication gates matter. Large request bodies that stay within the configured parser budget can still reach the expensive body-read and parse path.
Impact:
Unauthenticated denial of service against the web management interface. During validation, affected interfaces became unavailable and required manual reboot to recover.
References:
technical write-up | PoC
Affected products: ZTE ZXHN H298A, ZTE ZXHN H108N
Affected versions: H298A V1.1, H108N V2.6
Summary:
An unauthenticated ETHCheat=1 request to the management page returns credential-bearing HTML on affected builds. A related wizard endpoint also exposes serial information, showing a broader unauthenticated disclosure surface.
Impact:
Administrator password and WLAN PSK disclosure, enabling management-interface compromise and Wi-Fi credential compromise on affected builds.
Observed component / endpoint:
/getpage.lua?pid=1000ÐCheat=1
References:
technical write-up | PoC
- 2024-05-02: Vulnerabilities reported to ZTE PSIRT.
- 2026: CVE IDs assigned and public records published by the CVE Program.