Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
3DescriptionCVE.org
Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling authentication bypass and network compromise. Some firmware versions may expose only partial identifiers (e.g., serial number, ESSID, MAC addresses).
AnalysisAI
Remote unauthenticated attackers can retrieve plaintext administrator passwords and WLAN Pre-Shared Keys from ZTE ZXHN H298A (firmware 1.1) and H108N (firmware 2.6) routers via crafted HTTP requests to the web management interface. The vulnerability enables complete network compromise through credential theft without requiring authentication. Public exploit code exists (GitHub Gist), demonstrating active researcher interest, though no CISA KEV listing indicates targeted rather than widespread exploitation. EPSS data unavailable, but the combination of network attack vector, no authentication requirement, and credential exposure presents immediate risk to affected deployments.
Technical ContextAI
This is an information disclosure vulnerability (CWE-200) in ZTE's embedded web server implementation for consumer-grade ZXHN router series. The web management interface fails to implement proper authentication checks or output sanitization on specific endpoints, allowing unauthenticated HTTP requests to trigger responses containing sensitive configuration data. Affected models are home/SOHO gateway devices combining routing, wireless access point, and management functions. The vulnerability exposes data from the device's configuration store or memory, which contains plaintext or weakly-protected credentials. The CVSS vector confirms network-accessible exploitation requiring no special conditions (AV:N/AC:L/PR:N/UI:N), with high confidentiality impact but no integrity or availability impact, consistent with pure data exfiltration.
RemediationAI
Contact ZTE technical support or check the official ZTE security portal (https://www.zte.com.cn/global/) for firmware updates addressing this vulnerability. No specific patched firmware version has been independently confirmed in available references, requiring direct vendor contact for remediation guidance. If firmware updates are unavailable or cannot be immediately deployed, implement these compensating controls: (1) Disable remote/WAN-side management access to the router web interface, restricting access to LAN-side only (trade-off: remote administration unavailable), (2) Change default administrator credentials and WLAN PSK immediately to limit damage if already compromised, (3) Implement network segmentation isolating the router management interface from untrusted networks using firewall rules or VLANs (trade-off: increased configuration complexity), (4) Deploy network monitoring to detect unusual access patterns to router management ports (TCP 80/443/8080). For enterprise deployments, consider replacing affected devices with alternative hardware if vendor support is inadequate. The GitHub Gist at https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 documents the vulnerability but does not provide remediation guidance.
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha
The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account
Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE
connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo
Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato
All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which
Same weakness CWE-200 – Information Exposure
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27883