[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[FD] [SECURITY ADVISORY] CVE-2021-21735 - ZTE ZXHN H168N V3.5 Unauthenticated Admin Credential Leak
- To: fulldisclosure@xxxxxxxxxxxx
- Subject: [FD] [SECURITY ADVISORY] CVE-2021-21735 - ZTE ZXHN H168N V3.5 Unauthenticated Admin Credential Leak
- From: "m.nageh" <minanageh379@xxxxxxxxx>
- Date: Wed, 20 May 2026 16:33:37 +0200
-----BEGIN SECURITY ADVISORY-----
Advisory ID: MONX-2021-001
CVE ID: CVE-2021-21735
Title: ZTE ZXHN H168N V3.5 - Unauthenticated Wizard Credential
Disclosure to Full Admin Compromise
Affected: ZTE ZXHN H168N V3.5
Date: 2026-05-20
Author: Mina Nageh Salalma (Monx Research)
Contact: minanageh379@xxxxxxxxx
Public URL:
https://github.com/minanagehsalalma/cve-2021-21735-zte-zxhn-h168n-admin-compromise
MITRE: https://www.cve.org/CVERecord?id=CVE-2021-21735
VULNERABILITY DESCRIPTION
--------------------------
The ZTE ZXHN H168N V3.5 firmware exposes quick-setup wizard endpoints that
return PPPoE credentials (ADUsername, VDUsername) and the WLAN KeyPassphrase
via the GetPassword action without requiring authentication. The firmware
routing allowlists these endpoints through a QuickSetupEnable branch.
In ISP-deployed configurations where the Wi-Fi password is reused as the
default admin password, this credential disclosure is a full admin
compromise
chain requiring a single unauthenticated HTTP request.
A bulk PoC script (zte_zxhn_h168n_bulk_poc.py) is included in the repository
for verifying scale of exposure.
CREDITS
-------
Mina Nageh Salalma (Monx Research)
https://github.com/minanagehsalalma
-----END SECURITY ADVISORY-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/