HomeIntelligenceBrief
VULNERABILITY BRIEF🔴 Critical Vulnerability

Authentication Bypass in ZTE ZXHN H188A V6 Routers Exposes Wi‑Fi and Admin Credentials

A newly disclosed vulnerability (CVE‑2026‑34472) in ZTE ZXHN H188A V6 routers allows unauthenticated attackers to pull WLAN passwords, SSIDs, PPPoE usernames and the default admin password. The flaw is exploitable over the Internet and impacts any organization that deploys or outsources these routers, raising immediate third‑party risk concerns.

LiveThreat™ Intelligence · 📅 May 30, 2026· 📰 exploit-db.com
🔴
Severity
Critical
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
2 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

Authentication Bypass in ZTE ZXHN H188A V6 Routers Exposes Wi‑Fi and Admin Credentials

What Happened – Unauthenticated HTTP requests to the root path of ZTE ZXHN H188A V6 firmware can invoke pre‑login wizard handlers that return WLAN PSKs, SSIDs, PPPoE usernames and the default administrator password (derived from the Wi‑Fi key). The flaw (CVE‑2026‑34472) stems from improper handling of _type and _tag parameters in router_logic_impl.lua.

Why It Matters for TPRM

  • Third‑party network equipment may expose internal credentials, enabling lateral movement into customer environments.
  • Compromised routers can be leveraged to intercept or manipulate traffic for downstream SaaS or cloud services.
  • The vulnerability is publicly exploitable; attackers can target any exposed device without prior access.

Who Is Affected – Telecommunications service providers, ISP‑managed residential broadband, enterprises that deploy ZTE ZXHN H188A routers, and any MSPs that include these devices in their service stack.

Recommended Actions

  • Inventory all ZTE ZXHN H188A V6 devices in your environment and verify firmware version.
  • Upgrade to a patched firmware release (post‑CVE‑2026‑34472) or apply vendor‑provided mitigations.
  • Restrict external access to router management interfaces (e.g., firewall, VPN).
  • Rotate default admin passwords and Wi‑Fi PSKs immediately after remediation.

Technical Notes – The bypass is triggered by sending a POST request to / with _type=loginData and _tag=login_entry, then invoking the getPassword action. No authentication token is required. The issue affects firmware versions V6.0.10P2_TE and V6.0.10P3N3_TE. Approximately 500 devices were publicly reachable at the time of reporting. Source: Exploit‑DB 52593

📰 Original Source
https://www.exploit-db.com/exploits/52593

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Trust Operations

Misconfigurations are control gaps in disguise.

Verisq AI Trust Operations turns findings like this into mapped controls with continuous evidence, keeping your audit readiness current instead of point-in-time.

Map your controls with Verisq AI Trust Operations →