Exploits

ZTE Routers Unauthenticated DoS Affects 140000 Devices

Published  ·  9 min read

ZTE routers

A flaw in ZTE router devices creates a vulnerability that permits unauthenticated users an ability to crash their management interface with a single, large POST request. This vulnerability is present on approximately 140,000 routers that are publicly available on the Internet.  

The CVEs associated with these routers are CVE-2026-34473 and affects at least 17 models of ZXHN routers made by ZTE, currently in use by Internet Service Providers (ISP's) around the world.

Researcher Mina Nageh Salalma of Monx Research discovered the ZTE router un-authenticated DoS vulnerability and published proof-of-concept (PoC) code to execute it.

How it Works

The ZE Router DoS Vulnerability is caused by a lack of limits imposed by the ZTE router's CGILua/post.lua parser on the maximum BODY size for application/x-www-form-urlencoded based POST requests. When sent to the ZTE router's web page via any of its CGI endpoints, the exploit sends a single oversized POST request to the router and causes the router's web server program to either go down or freeze.

To restore the affected web service, the administrator must either restart the router or the router's web server program. There is no authentication, session or credential checking required to exploit this vulnerability, therefore, any attacker that has the ability to access the router will be able to do so.

The Simple Exploit

The proof-of-concept for the ZTE routers unauthenticated denial of service vulnerability is remarkably simple.

An exploit sends a POST request to /cgi-bin/luci with 256 KB of "A" as its payload in an HTTP request as application/x-www-form-urlencoded.

If the target is vulnerable, the router's web service will fail and the exploit will identify this by checking for errors like connection refused, timeout or unanticipated response.

The ZTE routers unauthenticated denial of service exploit can be executed with a single command, and no special tools are required beyond Python and the requests library.

Affected Models

The ZTE routers unauthenticated denial of service vulnerability affects 17 or more ZTE ZXHN router models.

The researcher confirmed the vulnerability on multiple ZTE ZXHN models, and the exact list of affected models has not been published.

Many ISPs all over the world utilize ZTE routers as the main gateway to connect homes and small businesses to the Internet.

Exposed Devices

According to research performed at the time of discovery, there are around 140,000 publicly accessible ZTE routers that are vulnerable to the unauthenticated Denial of Service (DoS) vulnerabilities.

Although these routers are publicly available, it is possible to have DoS attacks performed on them via ISP networks or if they become infected by malware.

If executed, attackers can use these vulnerabilities to cause the complete Internet connectivity loss for thousands of homes and businesses.

The Impact of a Successful Attack

A denial-of-service (DoS) attack on a ZTE router causes many issues with how the router operates:

1. If an administrator's ZTE router is attacked and they cannot access the web user interface (UI), they have no way to access the router.

2. After an attack, the ZTE router does not need to be rebooted to perform some tasks; therefore, the router will continue to route packets even though the web UI has been attacked.

3. When an administrator wants to access the web UI again, he or she must restart the ZTE router or restart the web UI service on the router to be able to access the interface.

4. An attacker can use the ZTE router to launch DoS attacks; therefore, they could bring the web UI down repeatedly, as often as they wish when the ZTE router is back in service.

The Danger of the Vulnerability

The unauthenticated Denial of Service vulnerability within ZTE routers has numerous potentially dangerous characteristics:

1. Unauthenticated - Any attack can access the IP address of the device and do not need an account to log in to the device (i.e., there is no user name and password required to access).

2. Remote Exploitability - It is possible to exploit the flaw through an internet connection and attackers can search for ZTE routers that have this vulnerability from anywhere in the world.

3. Very Easy to Execute - To exploit the flaw requires only one HTTP POST request (to the target ZTE router) which means that even people with limited knowledge will be able to exploit this vulnerability.

4. No Fix Available - There are currently no patches provided by ZTE after the disclosure of this vulnerability which means that affected routers could be vulnerable for an indefinite period of time.

5. End-User Replacement - Most of these routers are controlled by ISPs which means most customers will not be able to update their firmware.

The Researcher

Mina Nageh Salalma found the ZTE Router Denial of Service Vulnerability. He has developed an extensive proof-of-concept that can be found on GitHub after testing a wide variety of ZTE ZXHN Models.

The researcher found that all 17 separate models had the same vulnerability and demonstrated an exploit that is available publicly. 

The ZTE Router Denial of Service Vulnerability has been assigned CVE-2026-34473; the researcher disclosed the vulnerability on May 20, 2026.

How to Check If Your Router Is Vulnerable

The ZTE routers unauthenticated denial of service vulnerability is easy to test.

If you have a ZTE router, you can run the proof-of-concept exploit against your own device (with permission), and the exploit will attempt to crash the web interface.

The ZTE routers unauthenticated denial of service test is non-destructive in that it does not permanently damage the router, but it will crash the web service and require a reboot.
Only test on routers you own or have explicit permission to test.

How to Protect Your ZTE Router

The ZTE routers unauthenticated denial of service vulnerability has no patch mentioned at the time of disclosure, but there are mitigation steps:

1. Restrict remote access. If your router allows remote management, disable it, the ZTE routers unauthenticated denial of service vulnerability requires network access to the web interface.

2.  To reduce exposure to external scans and attacks on the default TCP port 80 (HTTP) and TCP port 443 (HTTPS) configurations, configure your routers to utilize alternate TCP ports; this will decrease the chance of anyone discovering a router’s web interface.

3.  Set up firewalls on all routers to restrict access to their respective web interfaces via untrusted networks; only permit remote access to the routers’ web interfaces from local IP addresses.

4.  If the web interface of your router has been repeatedly crashing, then it could be indicative that someone is attempting to hack into your router.

5.  Contact your Internet Service Provider (ISP) to determine if they can perform a remote firmware upgrade on your router or provide you with instructions for performing a workaround to the firmware. Most ZTE routers are sold through ISPs and as such are usually manageable via remote service by ISPs.

6. Consider replacing the router. If your ISP cannot provide a fix, consider replacing the router with a different model from a different vendor.

The CGILua Issue

The ZTE routers’ unauthenticated denial-of-service flaw is due to an issue with the CGILua parser being a Lua-based web-scripting system for embedded devices.

This programming error is a common one among many other embedded devices found throughout history, where the code does not limit the amount of data sent to it by not setting a maximum allowed body size.

This is an example of how even the simplest input validation issues exist in 2026.

The ISP Role

Many of the affected ZTE routers are provided by internet service providers, and ISPs often configure these routers remotely and push firmware updates.

The ZTE routers unauthenticated denial of service vulnerability can only be fully fixed by ZTE releasing a firmware patch, and ISPs then need to deploy that patch to their customers.

End users cannot patch their own routers, and they are dependent on their ISP for a fix.

Final Thoughts

The ZTE routers unauthenticated denial of service vulnerability is a simple but effective attack.

A single 256 kilobyte POST request can crash the web interface of an estimated 140,000 ZTE routers, and attackers can disrupt internet connectivity for homes and businesses around the world.

The ZTE routers unauthenticated denial of service vulnerability requires no authentication, no special skills, and no expensive tools.

If you have a ZTE router, check with your ISP about a firmware update, restrict remote access to the web interface, and monitor for unexplained reboots or unresponsive management pages.

The ZTE routers unauthenticated denial of service vulnerability is a reminder that even basic input validation errors can have widespread consequences when they affect millions of deployed devices.

FAQ Section

What is CVE-2026-34473?

CVE-2026-34473 is a ZTE routers unauthenticated denial of service vulnerability, the CGILua post.lua parser does not enforce a maximum body size, and an attacker can crash the web service with a single oversized POST request.

How many ZTE routers are vulnerable?

The ZTE routers unauthenticated denial of service vulnerability affects an estimated 140,000 publicly exposed devices across 17 or more ZTE ZXHN router models.

Does the assailant require authorization in order to exploit this vulnerability?

No, the ZTE routers have an unauthenticated denial of service vulnerability, which does not require authentication, a session or credentials. Therefore, any attacker that can access the Web Interface of the router can cause it to crash.

Are there patches available for CVE-2026-34473?

There were no indications of a patch from ZTE at the time of disclosure, thus the routers will remain vulnerable indefinitely. Please contact your ISP for further information.

Can the router still route traffic after the web service crashes?

Yes, the ZTE routers unauthenticated denial of service vulnerability crashes the web management interface but the router may continue routing traffic, however the administrator cannot manage the device without a reboot.

Source: Exploit DB
Professional Services

Explore Our Cybersecurity Services

Our insights are backed by hands-on service delivery. If your business needs professional cybersecurity support, our UK-based specialists are ready to help.

© 2016 – 2026 Red Secure Tech Ltd. Registered in England and Wales — Company No: 15581067