Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
3DescriptionCVE.org
Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router's web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary.
AnalysisAI
Remote denial-of-service in ZTE home routers (H8102E, H168N, H167A, and 15 other models) allows unauthenticated network attackers to crash the web management interface via oversized HTTP POST request with application/x-www-form-urlencoded content, requiring physical device reboot to restore service. ZTE claims devices patched since March 2021, but operator firmware timelines vary. EPSS data not available; no active exploitation confirmed (not in CISA KEV). Publicly available exploit details exist via GitHub gist.
Technical ContextAI
This vulnerability exploits improper input validation (CWE-400: Uncontrolled Resource Consumption) in the HTTP POST request handler of ZTE home router web interfaces. The affected routers fail to validate or limit the size of application/x-www-form-urlencoded POST bodies before attempting to parse them, leading to resource exhaustion that crashes the management service. This affects at least 18 ZTE residential gateway models (H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, H196Q). The vulnerability exists in the web server component that handles administrative interface requests, which runs on standard HTTP/HTTPS ports (typically 80/443 or 8080). CPE data shows n/a placeholders, indicating incomplete product enumeration in NVD - specific model CPEs are not formally registered.
RemediationAI
Upgrade affected ZTE router firmware to versions released after 2021-03-23 per ZTE's statement to the reporter. Contact your internet service provider to request firmware updates, as these devices are typically ISP-managed and may not receive automatic updates. If ISP cannot confirm patch status or provide updated firmware, implement network-level compensating controls: restrict access to the router management interface by disabling remote administration features (WAN-side access to HTTP/HTTPS ports), configure firewall rules to permit management access only from trusted LAN IP addresses, or place the router behind a properly configured edge firewall that rate-limits HTTP POST requests. Note that disabling remote management prevents ISP remote support capabilities. As a temporary mitigation during active attacks, power-cycle the device to restore management interface availability, though this does not prevent re-exploitation. Organizations using these models in managed service environments should prioritize replacement with enterprise-grade equipment that receives regular security updates.
web_shell_cmd.gch on ZTE F460 and F660 cable modems allows remote attackers to obtain administrative access via sendcmd
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE have a hardcoded password of root for the root account, whic
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow user accounts to have multiple valid
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated users to obtain
ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE allow remote attackers to discover usernames and password ha
The TELNET service on the ZTE ZXV10 W300 router 2.1.0 has a hardcoded password ending with airocon for the admin account
Absolute path traversal vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_PE
connoppp.cgi on ZTE ZXDSL 831CII devices does not require HTTP Basic Authentication, which allows remote attackers to mo
Cross-site scripting (XSS) vulnerability in cgi-bin/webproc on ZTE ZXHN H108N R1A devices before ZTE.bhs.ZXHNH108NR1A.k_
ZTE ADSL ZXV10 W300 modems W300V2.1.0f_ER7_PE_O57 and W300V2.1.0h_ER7_PE_O57 allow remote authenticated non-administrato
All versions up to ZXINOS-RESV1.01.43 of the ZTE ZXIN10 product European region are impacted by improper access control
The ZTE ZXV10 W300 router with firmware W300V1.0.0a_ZRD_LK has a default password of admin for the admin account, which
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-27881