Skip to content

Instantly share code, notes, and snippets.

@minanagehsalalma
Last active May 21, 2026 12:47
Show Gist options
  • Select an option

  • Save minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 to your computer and use it in GitHub Desktop.

Select an option

Save minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 to your computer and use it in GitHub Desktop.
ZTE ZXHN router vulnerabilities – CVE-2026-34472, CVE-2026-34473, CVE-2026-34474

ZTE ZXHN router vulnerabilities

Public disclosure date: 2026-03-27
Researcher: Mina Nageh Salama Zekry

This public reference summarizes three CVEs affecting ZTE ZXHN / H-series router web interfaces. It is intended as a clean reference for CVE and NVD records, with the full technical write-ups routed through LinkedIn posts.

Quick links

CVE-2026-34472: ZXHN H188A V6.0 credential disclosure leading to auth bypass

Affected product: ZTE ZXHN H188A V6.0
Affected versions: V6.0.10P2_TE, V6.0.10P3N3_TE

Summary:
The pre-login wizard routing path accepts attacker-controlled _type and _tag values on root-path requests before the normal quick-setup gate is applied. This allows unauthenticated access to credential-bearing wizard handlers.

Impact:
WLAN, PPPoE, and administrator credential disclosure. On the validated H188A V6 path, the leaked Wi-Fi passphrase becomes the default administrator password when uppercased, turning the disclosure into administrative access.

Observed component / endpoint:
/?_type=tedataNotLoginData&_tag=wizard_lua.lua&IF_ACTION=...

References:
technical write-up | PoC

CVE-2026-34473: ZTE H-series unauthenticated denial of service

Affected products / models include:
H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, H196Q

Affected version scope:
Multiple firmware versions observed across affected H-series models, including versions in use prior to 2022.

Summary:
The router web stack processes attacker-controlled application/x-www-form-urlencoded POST bodies before authentication gates matter. Large request bodies that stay within the configured parser budget can still reach the expensive body-read and parse path.

Impact:
Unauthenticated denial of service against the web management interface. During validation, affected interfaces became unavailable and required manual reboot to recover.

References:
technical write-up | PoC

CVE-2026-34474: ZXHN H298A / H108N sensitive data exposure

Affected products: ZTE ZXHN H298A, ZTE ZXHN H108N
Affected versions: H298A V1.1, H108N V2.6

Summary:
An unauthenticated ETHCheat=1 request to the management page returns credential-bearing HTML on affected builds. A related wizard endpoint also exposes serial information, showing a broader unauthenticated disclosure surface.

Impact:
Administrator password and WLAN PSK disclosure, enabling management-interface compromise and Wi-Fi credential compromise on affected builds.

Observed component / endpoint:
/getpage.lua?pid=1000&ETHCheat=1

References:
technical write-up | PoC

Timeline

  • 2024-05-02: Vulnerabilities reported to ZTE PSIRT.
  • 2026: CVE IDs assigned and public records published by the CVE Program.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment