← Back to Feed CACHED · 2026-05-17 09:42:19 · cache_key CVE-2025-29912
CVE-2026-34473 · CWE-400 · Disclosed 2026-05-06

Unauthenticated DoS in ZTE H8102E

ASSESSED — NOISGATE V0.5
Vendor
Reassessed
Verdict:
01 · The Real Story

This is a brick through the router’s front-desk window, not a key to the building

CVE-2026-34473 is an unauthenticated denial-of-service in the web management stack used across multiple ZTE H-series/ZXHN router models: H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, H196Q. Public reporting says an oversized application/x-www-form-urlencoded POST body can hit the CGILua/LuCI parsing path before auth matters, exhaust or fault the web process, and leave the management interface unresponsive until reboot. The CVE record says observed impact is on firmware in use prior to 2022, while also noting the supplier claims devices are not vulnerable since 2021-03-23 and operator firmware may differ.

The vendor-style 7.5/HIGH score overstates enterprise risk. The exploit is easy *if* the management plane is reachable, but the practical impact is narrow: no code execution, no config tampering, no credential exposure, and usually no routing/data-plane outage—just loss of the web UI. That makes this a real operational nuisance for exposed ISP/CPE fleets, but not the kind of bug that should jump ahead of remotely exploitable compromise bugs in a 10,000-host patch queue.

"Remote and unauthenticated, yes—but this is a management-plane lockup, not a foothold."
02 · The Attack Path

4 steps from start to impact.

STEP 01

Find a reachable ZTE web admin surface

The attacker first needs HTTP/HTTPS access to the router’s management UI, typically cgi-bin/luci or the login page exposed on port 80/443. Discovery can be done with basic scanning or internet search engines that index CPE admin panels; the public advisory estimated roughly 140,000 reachable devices at research time.
Conditions required:
  • Target is one of the affected ZTE H-series models
  • Web management is reachable from the attacker’s network position
  • No upstream ACL, VPN gate, or management-plane isolation blocks access
Where this breaks in practice:
  • Many enterprise-managed routers do not expose web admin to the public internet
  • If reachability is LAN-only, the attacker is already post-initial-access
  • Carrier NAT, ACLs, or admin disablement often remove the WAN path entirely
Detection/coverage: External attack-surface management, Shodan/Censys/FOFA reviews, and routine config audits can identify exposed web admin. Traditional authenticated vuln scanners may miss this because they often avoid destructive checks.
STEP 02

Send an oversized form POST with a simple PoC

A public PoC using Python requests sends a single oversized application/x-www-form-urlencoded POST to a CGI endpoint such as /cgi-bin/luci. No login, cookie, or CSRF token is needed according to the advisory because request-body handling occurs before authentication meaningfully protects the path.
Conditions required:
  • HTTP POST requests reach the embedded web stack intact
  • Target accepts application/x-www-form-urlencoded bodies
  • Front-end limits do not reject the body first
Where this breaks in practice:
  • Reverse proxies or upstream devices may cap request size
  • Some deployments expose only HTTPS with client filtering or VPN access
  • Not every firmware build appears equally affected
Detection/coverage: Look for abnormally large POSTs to router admin paths, especially repeated requests to cgi-bin/luci or similar endpoints. IDS/WAF telemetry can catch this pattern if the management interface is routed through an inspectable boundary.
STEP 03

CGILua body parsing burns resources before auth helps

Per the public technical write-up, the vulnerable parser reads the entire POST body into memory before proper bounds checking. That turns a trivial request into uncontrolled resource consumption (CWE-400), crashing or wedging the management service rather than giving the attacker deeper execution.
Conditions required:
  • Affected parser implementation is present in the firmware image
  • The process lacks effective body-size limits or safer parsing controls
Where this breaks in practice:
  • A supplier statement says devices are not vulnerable since 2021-03-23, creating uncertainty around which operator firmware trains are still affected
  • Carrier-customized builds may behave differently from stock firmware
Detection/coverage: Host-level visibility on these routers is usually poor. Best signals are HTTP timeouts, dropped admin sessions, service watchdog restarts, or sudden loss of 80/443 management while forwarding stays up.
STEP 04

Management plane locks up until reboot

The end state is loss of remote web administration, potentially until a manual or power-cycle reboot. That can be painful in branch or ISP scenarios where the operator depends on the web UI, but the published impact is still *availability of management*, not attacker control of the box.
Conditions required:
  • Operators rely on the web UI as the primary management path
  • No alternate admin channel is available
Where this breaks in practice:
  • SSH, TR-069, serial console, or field hands may still recover the device
  • The forwarding/data plane may continue functioning, limiting user-visible blast radius
Detection/coverage: Monitor for management-port health failures without matching WAN/LAN traffic loss. NMS alerts showing UI failure while the device still passes traffic are a strong clue.
03 · Intelligence Metadata

The supporting signals.

In-the-wild statusNo confirmed active exploitation in the sources reviewed. Not KEV-listed and OpenCVE flags exploitation as none.
Proof-of-conceptPublic PoC exists from Mina Nageh Salalma / Monx Research on GitHub, plus a full technical advisory on Full Disclosure.
EPSSUser-supplied EPSS is 0.01634 (~1.634% 30-day probability). That is not zero, but it is far from a breakout exploitation signal; a primary-source percentile was not confirmed in retrieved data.
KEV statusNo entry for CVE-2026-34473 in the CISA Known Exploited Vulnerabilities catalog pages reviewed on 2026-05-29.
CVSS vectorCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H = easy remote reachability with no auth, but availability-only impact.
Affected versionsCVE/NVD text says it may affect firmware versions prior to 2022 across the listed H-series models. The same record also says the supplier stated devices are not vulnerable since 2021-03-23.
Fixed versionsNo authoritative model-by-model fixed firmware mapping was found. Public disclosure says no patch has been issued; the CVE text only carries the supplier’s broad date claim, which is not enough for fleet validation.
Exposure dataPublic advisory claims ~140,000 publicly reachable devices at research time. Treat that as researcher-provided exposure data, not independently verified census telemetry.
Disclosure timelineCVE published 2026-05-06; Full Disclosure post published 2026-05-20. Research timeline says validation/reporting began in 2024-05 and MITRE escalation happened in 2025-01.
Researcher / reporting orgMina Nageh Salalma (Monx Research).
04 · The Call

noisgate verdict.

Final Verdict
DOWNGRADED to MEDIUM (4.8/10)

The decisive downgrade factor is management-plane reachability: if the web UI is not internet-exposed, the attacker usually needs LAN access first, which makes this post-initial-access in many real deployments. Even when reachable, the effect is primarily a web-admin outage rather than device takeover, so the operational blast radius is much smaller than the raw CVSS suggests.

HIGH Impact is limited to availability of the web management interface
MEDIUM Real-world exposure depends heavily on whether WAN web admin is enabled
LOW Vendor fix status and exact safe firmware boundaries by model

Why this verdict

  • Start from 7.5, then cut for attacker position: the vendor baseline assumes any network path is equally realistic. In practice, many enterprises never expose branch/CPE web admin externally; if the attacker needs internal reachability, that implies prior compromise and materially lowers urgency.
  • Cut again for blast radius: this is a management-plane DoS, not RCE, auth bypass, or config compromise. The likely business effect is loss of the web UI until reboot, while the router may continue forwarding traffic.
  • No threat-pressure multiplier: there is public research and a PoC, but no KEV listing, no confirmed campaign reporting, and the supplied EPSS is modest. That removes the 'patch-now-or-get-burned' signal.

Why not higher?

Because the vulnerability does not provide foothold, privilege gain, data theft, or durable control. The exploit chain is also heavily gated by whether the router’s web admin is reachable at all; that single prerequisite eliminates a large fraction of enterprise deployments from immediate risk.

Why not lower?

Because the bug is still unauthenticated, remotely triggerable, and operationally meaningful where WAN-facing admin exists. If you run these devices as a distributed branch or ISP-like fleet, an attacker can cheaply knock out remote management across many nodes with little skill.

05 · Compensating Control

What to do — in priority order.

  1. Remove WAN web-admin exposure — If these routers are managed in your environment, put the web UI behind VPN, management ACLs, or an internal-only jump path. For a MEDIUM verdict there is no mitigation SLA; do this in the next normal change window, and prioritize any internet-exposed instances first because exposure is the main severity amplifier.
  2. Enforce request-size filtering upstream — Apply reverse-proxy, firewall, or load-balancer limits that reject oversized application/x-www-form-urlencoded POST bodies before they hit the embedded parser. There is no mitigation SLA for MEDIUM here, so deploy on exposed edges during routine maintenance if the device cannot be patched quickly.
  3. Prefer alternate admin channels — Where possible, manage affected units through SSH, TR-069, console, or a controller path instead of depending on the web UI alone. That reduces operational pain if the UI wedges and should be folded into normal hardening and lifecycle work.
  4. Inventory carrier firmware ownership — Determine whether ZTE, your ISP, or an OEM integrator owns the firmware train for each affected model. Because fix boundaries are unclear, use the MEDIUM remediation window to get verifiable build guidance or plan replacement where no supported image exists.
What doesn't work
  • MFA on the admin UI does not help because the request-body parsing issue is reported to trigger before authentication matters.
  • Credential rotation does not help because the attacker does not need valid credentials.
  • EDR is mostly irrelevant on embedded routers; you need exposure control and network-layer visibility instead.
06 · Verification

Crowdsourced verification payload.

Run this from an auditor workstation that can reach the router’s management IP; do not run it on the router. Invoke it as python3 zte_cve_2026_34473_check.py http://192.0.2.10 or python3 zte_cve_2026_34473_check.py https://192.0.2.10; no special privileges are required. This is a non-destructive fingerprint check that tries to identify affected models and obvious old build markers, so it will often return UNKNOWN when version data is hidden.

noisgate-verify.py
PYTHONREAD-ONLYSAFE
#!/usr/bin/env python3
# CVE-2026-34473 non-destructive exposure/fingerprint check
# Exit codes: 0=PATCHED, 1=VULNERABLE, 2=UNKNOWN

import re
import sys
from urllib.parse import urljoin

try:
    import requests
    requests.packages.urllib3.disable_warnings()  # type: ignore[attr-defined]
except Exception:
    print('UNKNOWN')
    sys.exit(2)

AFFECTED_MODELS = {
    'H8102E','H168N','H167A','H199A','H288A','H198A','H267A','H267N',
    'H268A','H388X','H196A','H369A','H268N','H208N','H367N','H181A','H196Q'
}

BUILD_YEAR_RE = re.compile(r'(20\d{2})')
MODEL_RE = re.compile(r'\b(H8102E|H168N|H167A|H199A|H288A|H198A|H267A|H267N|H268A|H388X|H196A|H369A|H268N|H208N|H367N|H181A|H196Q)\b', re.I)
FIRMWARE_RE = re.compile(r'(firmware|software|version|build)[^\n<]{0,80}', re.I)


def fetch_text(base_url):
    paths = ['/', '/cgi-bin/luci', '/index.html', '/login.html']
    session = requests.Session()
    session.headers.update({'User-Agent': 'noisgate-cve-check/1.0'})
    blobs = []
    for p in paths:
        url = urljoin(base_url.rstrip('/') + '/', p.lstrip('/'))
        try:
            r = session.get(url, timeout=8, verify=False, allow_redirects=True)
            if r.text:
                blobs.append(r.text[:200000])
            for k, v in r.headers.items():
                blobs.append(f'{k}: {v}')
        except Exception:
            continue
    return '\n'.join(blobs)


def main():
    if len(sys.argv) != 2:
        print('UNKNOWN')
        sys.exit(2)

    base = sys.argv[1]
    if not re.match(r'^https?://', base, re.I):
        print('UNKNOWN')
        sys.exit(2)

    text = fetch_text(base)
    if not text.strip():
        print('UNKNOWN')
        sys.exit(2)

    upper = text.upper()
    model_hits = {m.upper() for m in MODEL_RE.findall(upper)}
    zteish = ('ZTE' in upper) or ('ZXHN' in upper) or bool(model_hits)

    if not zteish:
        print('UNKNOWN')
        sys.exit(2)

    if not model_hits:
        # Looks like ZTE/ZXHN but model is not visible unauthenticated.
        print('UNKNOWN')
        sys.exit(2)

    affected = any(m in AFFECTED_MODELS for m in model_hits)
    if not affected:
        print('PATCHED')
        sys.exit(0)

    # Try to infer build age from exposed strings.
    context = ' '.join(FIRMWARE_RE.findall(text))
    years = [int(y) for y in BUILD_YEAR_RE.findall(text) if 2000 <= int(y) <= 2099]
    year = min(years) if years else None

    # Heuristic only:
    # - If an affected model is identified and any visible build marker is pre-2022, call VULNERABLE.
    # - If an affected model is identified and all visible build markers are >=2022, call PATCHED.
    # - Otherwise UNKNOWN.
    if year is not None and year < 2022:
        print('VULNERABLE')
        sys.exit(1)
    if year is not None and year >= 2022:
        print('PATCHED')
        sys.exit(0)

    print('UNKNOWN')
    sys.exit(2)


if __name__ == '__main__':
    main()
07 · Bottom Line

If you remember one thing.

TL;DR
Monday morning, do not let the HIGH vendor label bully this above real compromise bugs. First, inventory whether any of these ZTE H-series devices are actually in your estate and whether their web admin is internet-reachable; if yes, remove public exposure or add upstream request-size controls in the next normal change window. Because this landed as MEDIUM, there is noisgate mitigation SLA — go straight to the 365-day remediation window. For remediation, use the noisgate remediation SLA of ≤365 days to obtain a verifiable fixed firmware from ZTE/carrier channels or to replace/isolate devices that cannot be tied to a supported, non-vulnerable build.

Sources

  1. NVD CVE-2026-34473
  2. Full Disclosure advisory
  3. MITRE/GitHub gist reference
  4. Public PoC repository
  5. CISA Known Exploited Vulnerabilities catalog
  6. FIRST EPSS data and statistics
  7. ZTE PSIRT security bulletins
  8. ZTE vulnerability response process
Peer Review

What defenders are saying.

Submit a review attribution: handle + country only
0 flags selected · stored anonymously
Validation Results

Crowdsourced verification outputs.

Results submitted by users who ran the verification payload against their environment.