[SECURITY ADVISORY] CVE-2026-34472 - ZTE ZXHN H188A V6 Authentication Bypass via Pre-Login Wizard
Full Disclosuremailing list archivesFrom: "m.nageh" <minanageh379 () gmail com> 2026-5-26 01:43:38 Author: seclists.org(查看原文) 阅读量:8 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: "m.nageh" <minanageh379 () gmail com>
Date: Wed, 20 May 2026 16:32:17 +0200
-----BEGIN SECURITY ADVISORY-----

Advisory ID:    MONX-2026-002
CVE ID:         CVE-2026-34472
Title:          ZTE ZXHN H188A V6 - Authentication Bypass via Pre-Login
Wizard Credential Leakage
Affected:       ZTE ZXHN H188A V6.0.10P2_TE, V6.0.10P3N3_TE
Date:           2026-05-20
Author:         Mina Nageh Salalma (Monx Research)
Contact:        minanageh379 () gmail com
Public URL:
https://github.com/minanagehsalalma/cve-2026-34472-auth-bypass-zte-h188a-router
MITRE:          https://www.cve.org/CVERecord?id=CVE-2026-34472


VULNERABILITY DESCRIPTION
--------------------------
Unauthenticated requests to the root path of ZTE ZXHN H188A V6 firmware can
reach pre-login wizard handlers and disclose WLAN PSKs, SSIDs, and PPPoE
usernames. The leaked Wi-Fi password is also the default administrator
password after uppercasing, resulting in full authentication bypass.


ROOT CAUSE
----------
router_logic_impl.lua accepts attacker-controlled _type and _tag parameters
for empty-path requests. urlpath_2type_modifier.lua only activates the
QuickSetupEnable gate when _type is absent. Supplying _type explicitly
causes
the wizard handlers (getPassword, wlan_get, ppp_get) to execute for
unauthenticated requests, returning WLAN PSKs, SSIDs, and PPPoE credentials.


TIMELINE
--------
2024-04-26: Local validation and PoC artifacts created.
2024-05:    Report sent to ZTE PSIRT.
2024-05-10: ZTE PSIRT stopped responding.
2026-01-17: Escalated to MITRE.
2026-02-02: ZTE PSIRT explicitly declined CVE assignment.
2026-03-27: MITRE assigned CVE-2026-34472.
2026-05-20: Full public disclosure.


CREDITS
-------
Mina Nageh Salalma (Monx Research)
https://github.com/minanagehsalalma

-----END SECURITY ADVISORY-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • [SECURITY ADVISORY] CVE-2026-34472 - ZTE ZXHN H188A V6 Authentication Bypass via Pre-Login Wizard m.nageh (May 25)

文章来源: https://seclists.org/fulldisclosure/2026/May/19
如有侵权请联系:admin#unsafe.sh