-----BEGIN SECURITY ADVISORY----- Advisory ID: MONX-2026-002 CVE ID: CVE-2026-34472 Title: ZTE ZXHN H188A V6 - Authentication Bypass via Pre-Login Wizard Credential Leakage Affected: ZTE ZXHN H188A V6.0.10P2_TE, V6.0.10P3N3_TE Date: 2026-05-20 Author: Mina Nageh Salalma (Monx Research) Contact: minanageh379 () gmail com Public URL: https://github.com/minanagehsalalma/cve-2026-34472-auth-bypass-zte-h188a-router MITRE: https://www.cve.org/CVERecord?id=CVE-2026-34472 VULNERABILITY DESCRIPTION -------------------------- Unauthenticated requests to the root path of ZTE ZXHN H188A V6 firmware can reach pre-login wizard handlers and disclose WLAN PSKs, SSIDs, and PPPoE usernames. The leaked Wi-Fi password is also the default administrator password after uppercasing, resulting in full authentication bypass. ROOT CAUSE ---------- router_logic_impl.lua accepts attacker-controlled _type and _tag parameters for empty-path requests. urlpath_2type_modifier.lua only activates the QuickSetupEnable gate when _type is absent. Supplying _type explicitly causes the wizard handlers (getPassword, wlan_get, ppp_get) to execute for unauthenticated requests, returning WLAN PSKs, SSIDs, and PPPoE credentials. TIMELINE -------- 2024-04-26: Local validation and PoC artifacts created. 2024-05: Report sent to ZTE PSIRT. 2024-05-10: ZTE PSIRT stopped responding. 2026-01-17: Escalated to MITRE. 2026-02-02: ZTE PSIRT explicitly declined CVE assignment. 2026-03-27: MITRE assigned CVE-2026-34472. 2026-05-20: Full public disclosure. CREDITS ------- Mina Nageh Salalma (Monx Research) https://github.com/minanagehsalalma -----END SECURITY ADVISORY----- _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: https://seclists.org/fulldisclosure/
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。