Authentication Bypass in ZTE ZXHN H188A V6 Routers Exposes Wi‑Fi and Admin Credentials
What Happened – Unauthenticated HTTP requests to the root path of ZTE ZXHN H188A V6 firmware can invoke pre‑login wizard handlers that return WLAN PSKs, SSIDs, PPPoE usernames and the default administrator password (derived from the Wi‑Fi key). The flaw (CVE‑2026‑34472) stems from improper handling of _type and _tag parameters in router_logic_impl.lua.
Why It Matters for TPRM –
- Third‑party network equipment may expose internal credentials, enabling lateral movement into customer environments.
- Compromised routers can be leveraged to intercept or manipulate traffic for downstream SaaS or cloud services.
- The vulnerability is publicly exploitable; attackers can target any exposed device without prior access.
Who Is Affected – Telecommunications service providers, ISP‑managed residential broadband, enterprises that deploy ZTE ZXHN H188A routers, and any MSPs that include these devices in their service stack.
Recommended Actions –
- Inventory all ZTE ZXHN H188A V6 devices in your environment and verify firmware version.
- Upgrade to a patched firmware release (post‑CVE‑2026‑34472) or apply vendor‑provided mitigations.
- Restrict external access to router management interfaces (e.g., firewall, VPN).
- Rotate default admin passwords and Wi‑Fi PSKs immediately after remediation.
Technical Notes – The bypass is triggered by sending a POST request to / with _type=loginData and _tag=login_entry, then invoking the getPassword action. No authentication token is required. The issue affects firmware versions V6.0.10P2_TE and V6.0.10P3N3_TE. Approximately 500 devices were publicly reachable at the time of reporting. Source: Exploit‑DB 52593