Unauthenticated Credential Exposure in ZTE ZXHN H298A/H108N Routers (CVE‑2026‑34474) Reveals Admin Password and Wi‑Fi PSK
What Happened – A newly disclosed vulnerability (CVE‑2026‑34474) allows any unauthenticated attacker to issue a single HTTP GET request to /getpage.lua?pid=1000ÐCheat=1 on ZTE ZXHN H298A (firmware 1.1) or H108N (firmware 2.6) routers. The response returns the live administrator password, Wi‑Fi pre‑shared key (PSK), ESSID, and serial number in clear‑text. No session, cookie, or authentication is required.
Why It Matters for TPRM –
- Exposed admin credentials enable full control of the router, allowing downstream network compromise of any connected third‑party services.
- Wi‑Fi PSK leakage can be leveraged to infiltrate corporate premises that rely on the router for guest or site‑to‑site connectivity.
- The flaw is exploitable remotely over the Internet, expanding the attack surface for any organization that outsources broadband or uses ZTE equipment in its facilities.
Who Is Affected – Telecommunications service providers, enterprises that deploy ZTE ZXHN H298A/H108N routers in branch offices, managed service providers (MSPs) that provision these devices for clients, and any third‑party SaaS platforms reachable through the compromised network.
Recommended Actions –
- Inventory all ZTE ZXHN H298A and H108N devices and verify firmware versions.
- Immediately upgrade to firmware releases that patch CVE‑2026‑34474 (or apply vendor‑provided mitigations).
- Enforce network segmentation to isolate router management interfaces from business traffic.
- Rotate administrator passwords and Wi‑Fi PSKs on all affected devices.
- Review remote access controls and consider blocking HTTP access to the vulnerable endpoint at the perimeter.
Technical Notes – The vulnerability is a VULNERABILITY_EXPLOIT: an unauthenticated HTTP GET to /getpage.lua?pid=1000ÐCheat=1 returns HTML containing OBJ_USERINFO_IDPassword1, WLANPSK_KeyPassphrase1, and WLANAP_ESSID1 fields in plaintext. A second endpoint (/wizard_page/wizard_overETHfail_set_lua.lua) discloses the device serial number. No authentication, session, or cookie is required. Source: Exploit‑DB 52592