[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [SECURITY ADVISORY] CVE-2026-34474 - ZTE H298A/H108N Unauthenticated Admin Credential Exposure
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] [SECURITY ADVISORY] CVE-2026-34474 - ZTE H298A/H108N Unauthenticated Admin Credential Exposure
- From: "m.nageh" <minanageh379@xxxxxxxxx>
- Date: Wed, 20 May 2026 16:32:52 +0200
-----BEGIN SECURITY ADVISORY-----
Advisory ID: MONX-2026-003
CVE ID: CVE-2026-34474
Title: ZTE ZXHN H298A / H108N - Unauthenticated Admin Password &
WLAN Credential Exposure
Affected: ZTE ZXHN H298A 1.1, ZTE ZXHN H108N 2.6 (EOL; no patch
planned)
Date: 2026-05-20
Author: Mina Nageh Salalma (Monx Research)
Contact: minanageh379@xxxxxxxxx
Public URL:
https://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure
MITRE: https://www.cve.org/CVERecord?id=CVE-2026-34474
VULNERABILITY DESCRIPTION
--------------------------
A single unauthenticated HTTP GET to /getpage.lua?pid=1000ÐCheat=1 on ZTE
H298A or H108N routers returns the live administrator password
(OBJ_USERINFO_IDPassword1), WLAN PSK (WLANPSK_KeyPassphrase1), and SSID in
plaintext HTML. A second endpoint exposes the device serial number.
Note: ZTE declined vendor-side assignment citing product EOL. MITRE assigned
CVE-2026-34474 directly and published the record 2026-05-06. These devices
remain deployed by some ISPs.
CREDITS
-------
Mina Nageh Salalma (Monx Research)
https://github.com/minanagehsalalma
-----END SECURITY ADVISORY-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/