A pre-authentication POST request with an oversized application/x-www-form-urlencoded body can crash the web management interface on ZTE H-series routers. No login is required. The root cause is not a simple missing size check. The router’s CGI layer eagerly reads and parses the entire POST body before authentication logic runs, and that parsing path is expensive enough under load to stall the web UI. At the time of the original 2024 report, a Shodan workset showed approximately 146,561 reachable devices across 17 or more models.
Executive Summary
CVE-2026–34473 is an unauthenticated denial-of-service vulnerability in the web management interface of ZTE H-series routers. The trigger is a POST request with an oversized application/x-www-form-urlencoded body. The router’s CGI framework (cgilua.lua + cgilua/post.lua) reads and parses the full request body before authentication, within a default maximum-input budget of 2,097,152 bytes. Any body below that threshold reaches a full read(inputsize) plus urlcode.parsequery() operation before the router has decided whether the caller is authorized.
ZTE stated in February 2026 that the issue had been resolved on 2021–03–23 and declined vendor-side CVE assignment. MITRE independently assigned CVE-2026–34473, which was published on cve.org on May 6, 2026.
Affected Systems
Based on direct testing, almost any firmware version prior to 2022 is affected across this H-series surface. The 17 models validated in the original 2024 report were:
H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, H196Q
The 140K+ figure is the original 2024 Shodan exposure estimate (146,561 devices observed). The live count may have changed since then.
Trigger Request
For models where a 100,000-character body is sufficient (browser-console generation):
POST / HTTP/1.1
Host: [redacted-router-ip]
Content-Type: application/x-www-form-urlencoded
Content-Length: 100000
[100,000-character URL-encoded body]
For models requiring a 1,000,000-character body, the same structure applies at higher Content-Length. A Python script can generate the body reliably across the tested model set.
Root Cause Analysis
The vulnerability is a pre-authentication architectural flaw, not a simple missing size check. The firmware extracted from the H168N provides the clearest code comparison. The decompiled source maps directly to the live exploitation path.
Five steps describe the vulnerable chain:
- cgilua.lua runs post.parsedata() for every POST request before the login and page-action flow. The body hits parser code before authentication matters.
- 2. The caller passes a default maxinput of 2,097,152 bytes into the parser.
- 3. parsedata() only rejects input when inputsize > maxinput. Any body below that threshold continues into content-type dispatch.
- 4. The dangerous branch is the x-www-form-urlencoded path: urlcode.parsequery(read(inputsize), defs.args).
- 5. An unauthenticated attacker-controlled body is fully read and immediately parsed into Lua structures. That is enough to stall the web UI in the validated firmware set.
Code Evidence
Decompiled from H168N firmware (reconstructed logic, not vendor source).
cgilua.lua — caller-side POST setup:
-- cgilua.lua: caller-side POST setup (runs before authentication)
local _default_maxinput = 2097152
local _maxinput = _default_maxinput
if requestmethod == "POST" then
post.parsedata({
read = sapi.Request.getpostdata,
content_type = servervariable("CONTENT_TYPE"),
content_length = servervariable("CONTENT_LENGTH"),
maxinput = _maxinput,
args = POST
})
end
cgilua/post.lua — the exact branch where the bug happens:
-- cgilua/post.lua: the exact branch where the bug occurs
function parsedata(defs)
local inputsize = tonumber(defs.content_length) or 0
if inputsize > maxinput then
defs.POST_DESC.isExceedMaxInput = true
inputsize = 0
return
end
if string.find(content_type, "x-www-form-urlencoded", 1, true) then
urlcode.parsequery(read(inputsize), defs.args) -- reads & parses BEFORE auth runs
end
end
The combination: every POST reaches post.parsedata(), and if the body is still under maxinput, the urlencoded branch performs a full read(inputsize) followed by urlcode.parsequery() before authentication gates matter.
Impact
The web management interface becomes unavailable. No login is required to reach the vulnerable request path. Recovery required a manual router reboot during testing; the interface did not recover on its own. The trigger lives in request-body handling before authentication logic matters, meaning firewall rules that block authenticated paths do not protect against this. With approximately 146,561 reachable devices identified via Shodan at the time of the original 2024 report, the scale of potential impact is significant. Any internet-facing ZTE H-series device running an unpatched firmware build remains reachable to this attack with a single unauthenticated HTTP request. The complete unavailability of the management interface during a crash event also prevents administrators from intervening remotely, compounding the operational impact for managed deployments.
The Shodan report screenshot and validation evidence are available in the canonical write-up.
Vendor Position
ZTE responded in February 2026 that the issue had been resolved on 2021–03–23 and declined vendor-side CVE assignment. The public record still matters because the issue was reported in 2024, acknowledged by the vendor, escalated through MITRE, and ultimately published as CVE-2026–34473. Capturing the vendor remediation diff remains an open reverse-engineering challenge; later H168N and H288A firmware artifacts may help, but the encrypted packaging on some later builds makes comparison non-trivial.
Disclosure Timeline
2024–05–02: ZTE PSIRT received the original report.
2024–05–06: ZTE acknowledged receipt and forwarded the report to the related product team.
2026–01–17: MITRE service request 1980204 opened.
2026–02–02: ZTE declined vendor-side CVE assignment, stating the issue had been resolved 2021–03–23.
2026–03–27: MITRE assigned CVE-2026–34473.
2026–04–13: service request 2016046 tracked publication follow-up.
2026–05–06: CVE-2026–34473 published on cve.org.
References
CVE-2026–34473: Unauthenticated Denial of Service in ZTE Routers Affecting 17+ Models was originally published in System Weakness on Medium, where people are continuing the conversation by highlighting and responding to this story.