| Title | ZTE ZXHN H188A V6.0.10P2_TE / V6.0.10P3N3_TE Authentication Bypass |
|---|
| Description | ZTE ZXHN H188A firmware V6.0.10P2_TE and V6.0.10P3N3_TE contains an unauthenticated pre-login wizard exposure reachable via the root path with attacker-controlled _type and _tag parameters. A request such as /?_type=tedataNotLoginData&_tag=wizard_lua.lua can return the default administrator password, WLAN PSK, and PPPoE credentials through actions including getPassword, wlan_get, and ppp_get. In validated cases the disclosed Wi-Fi password becomes the default administrator password when uppercased, which turns the credential leak into administrative authentication bypass. The issue is rooted in query-driven router selection that bypasses the normal QuickSetupEnable gate for empty URL paths. |
|---|
| Source | ⚠️ https://minanagehsalalma.github.io/cve-2026-34472-auth-bypass-zte-h188a-router/ |
|---|
| User | MonxResearch (UID 98419) |
|---|
| Submission | 05/20/2026 18:14 (21 days ago) |
|---|
| Moderation | 06/05/2026 18:59 (16 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 354212 [ZTE ZXHN H188A 6.0.10P2_TE/6.0.10P3N3_TE Wizard Interface information disclosure] |
|---|
| Points | 20 |
|---|