-----BEGIN SECURITY ADVISORY----- Advisory ID: MONX-2021-001 CVE ID: CVE-2021-21735 Title: ZTE ZXHN H168N V3.5 - Unauthenticated Wizard Credential Disclosure to Full Admin Compromise Affected: ZTE ZXHN H168N V3.5 Date: 2026-05-20 Author: Mina Nageh Salalma (Monx Research) Contact: minanageh379 () gmail com Public URL: https://github.com/minanagehsalalma/cve-2021-21735-zte-zxhn-h168n-admin-compromise MITRE: https://www.cve.org/CVERecord?id=CVE-2021-21735 VULNERABILITY DESCRIPTION -------------------------- The ZTE ZXHN H168N V3.5 firmware exposes quick-setup wizard endpoints that return PPPoE credentials (ADUsername, VDUsername) and the WLAN KeyPassphrase via the GetPassword action without requiring authentication. The firmware routing allowlists these endpoints through a QuickSetupEnable branch. In ISP-deployed configurations where the Wi-Fi password is reused as the default admin password, this credential disclosure is a full admin compromise chain requiring a single unauthenticated HTTP request. A bulk PoC script (zte_zxhn_h168n_bulk_poc.py) is included in the repository for verifying scale of exposure. CREDITS ------- Mina Nageh Salalma (Monx Research) https://github.com/minanagehsalalma -----END SECURITY ADVISORY----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。