Share
## https://sploitus.com/exploit?id=PACKETSTORM:221996
-----BEGIN SECURITY ADVISORY-----
    
    Advisory ID:    MONX-2026-002
    CVE ID:         CVE-2026-34472
    Title:          ZTE ZXHN H188A V6 - Authentication Bypass via Pre-Login
    Wizard Credential Leakage
    Affected:       ZTE ZXHN H188A V6.0.10P2_TE, V6.0.10P3N3_TE
    Date:           2026-05-20
    Author:         Mina Nageh Salalma (Monx Research)
    Contact:        minanageh379@gmail.com
    Public URL:
    https://github.com/minanagehsalalma/cve-2026-34472-auth-bypass-zte-h188a-router
    MITRE:          https://www.cve.org/CVERecord?id=CVE-2026-34472
    
    
    VULNERABILITY DESCRIPTION
    --------------------------
    Unauthenticated requests to the root path of ZTE ZXHN H188A V6 firmware can
    reach pre-login wizard handlers and disclose WLAN PSKs, SSIDs, and PPPoE
    usernames. The leaked Wi-Fi password is also the default administrator
    password after uppercasing, resulting in full authentication bypass.
    
    
    ROOT CAUSE
    ----------
    router_logic_impl.lua accepts attacker-controlled _type and _tag parameters
    for empty-path requests. urlpath_2type_modifier.lua only activates the
    QuickSetupEnable gate when _type is absent. Supplying _type explicitly
    causes
    the wizard handlers (getPassword, wlan_get, ppp_get) to execute for
    unauthenticated requests, returning WLAN PSKs, SSIDs, and PPPoE credentials.
    
    
    TIMELINE
    --------
    2024-04-26: Local validation and PoC artifacts created.
    2024-05:    Report sent to ZTE PSIRT.
    2024-05-10: ZTE PSIRT stopped responding.
    2026-01-17: Escalated to MITRE.
    2026-02-02: ZTE PSIRT explicitly declined CVE assignment.
    2026-03-27: MITRE assigned CVE-2026-34472.
    2026-05-20: Full public disclosure.
    
    
    CREDITS
    -------
    Mina Nageh Salalma (Monx Research)
    https://github.com/minanagehsalalma
    
    -----END SECURITY ADVISORY-----