Skip to main content

ZTE ZXHN routers CVE-2026-34474

| EUVDEUVD-2026-27883 HIGH
Information Exposure (CWE-200)
2026-05-06 mitre
7.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
7.5 HIGH
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

3
Analysis Generated
May 07, 2026 - 13:22 vuln.today
CVSS changed
May 07, 2026 - 13:22 NVD
7.5 (HIGH)
CVE Published
May 06, 2026 - 00:00 nvd
HIGH 7.5

DescriptionCVE.org

Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling authentication bypass and network compromise. Some firmware versions may expose only partial identifiers (e.g., serial number, ESSID, MAC addresses).

AnalysisAI

Remote unauthenticated attackers can retrieve plaintext administrator passwords and WLAN Pre-Shared Keys from ZTE ZXHN H298A (firmware 1.1) and H108N (firmware 2.6) routers via crafted HTTP requests to the web management interface. The vulnerability enables complete network compromise through credential theft without requiring authentication. Public exploit code exists (GitHub Gist), demonstrating active researcher interest, though no CISA KEV listing indicates targeted rather than widespread exploitation. EPSS data unavailable, but the combination of network attack vector, no authentication requirement, and credential exposure presents immediate risk to affected deployments.

Technical ContextAI

This is an information disclosure vulnerability (CWE-200) in ZTE's embedded web server implementation for consumer-grade ZXHN router series. The web management interface fails to implement proper authentication checks or output sanitization on specific endpoints, allowing unauthenticated HTTP requests to trigger responses containing sensitive configuration data. Affected models are home/SOHO gateway devices combining routing, wireless access point, and management functions. The vulnerability exposes data from the device's configuration store or memory, which contains plaintext or weakly-protected credentials. The CVSS vector confirms network-accessible exploitation requiring no special conditions (AV:N/AC:L/PR:N/UI:N), with high confidentiality impact but no integrity or availability impact, consistent with pure data exfiltration.

RemediationAI

Contact ZTE technical support or check the official ZTE security portal (https://www.zte.com.cn/global/) for firmware updates addressing this vulnerability. No specific patched firmware version has been independently confirmed in available references, requiring direct vendor contact for remediation guidance. If firmware updates are unavailable or cannot be immediately deployed, implement these compensating controls: (1) Disable remote/WAN-side management access to the router web interface, restricting access to LAN-side only (trade-off: remote administration unavailable), (2) Change default administrator credentials and WLAN PSK immediately to limit damage if already compromised, (3) Implement network segmentation isolating the router management interface from untrusted networks using firewall rules or VLANs (trade-off: increased configuration complexity), (4) Deploy network monitoring to detect unusual access patterns to router management ports (TCP 80/443/8080). For enterprise deployments, consider replacing affected devices with alternative hardware if vendor support is inadequate. The GitHub Gist at https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9 documents the vulnerability but does not provide remediation guidance.

More in Zte

View all
CVE-2014-2321 CRITICAL POC
10.0 Mar 11

web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd

CVE-2015-7251 CRITICAL POC
9.8 Dec 30

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic

CVE-2015-7259 HIGH POC
8.8 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid

CVE-2015-7258 HIGH POC
8.8 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain

CVE-2015-7248 HIGH POC
7.5 Dec 30

ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha

CVE-2014-0329 CRITICAL POC
9.3 Feb 04

The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account

CVE-2015-7250 HIGH POC
7.5 Dec 30

Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE

CVE-2017-16953 HIGH POC
7.5 Dec 01

connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo

CVE-2015-7252 MEDIUM POC
6.1 Dec 30

Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_

CVE-2015-7257 HIGH POC
7.5 Aug 24

ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato

CVE-2018-7364 CRITICAL POC
9.8 Dec 07

All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control

CVE-2014-4018 HIGH POC
7.8 Jul 16

The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which

Share

CVE-2026-34474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy