README.md
Rendering markdown...
<!doctype html>
<html lang="en">
<head>
<meta charset="utf-8">
<meta name="viewport" content="width=device-width, initial-scale=1">
<title>CVE-2026-34474: ZTE H298A / H108N Credential Leak via ETHCheat</title>
<meta name="description" content="Technical writeup for CVE-2026-34474, a sensitive data exposure issue in ZTE ZXHN H298A 1.1 and H108N 2.6 where crafted requests to getpage.lua with ETHCheat expose admin and WLAN secrets.">
<meta name="theme-color" content="#06080b">
<meta property="og:title" content="CVE-2026-34474: ZTE H298A / H108N Credential Leak via ETHCheat">
<meta property="og:description" content="Observed exploit path: unauthenticated requests to getpage.lua?pid=1000ÐCheat=1 return HTML containing the administrator password and WLAN PSK on affected H298A and H108N builds.">
<meta property="og:type" content="article">
<meta property="og:url" content="https://minanagehsalalma.github.io/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure/">
<meta property="og:image" content="https://minanagehsalalma.github.io/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure/images/a0c8f47a-95e3-4fba-a99a-9984f4df84d2.png">
<meta property="og:image:alt" content="Infographic for CVE-2026-34474 showing the ETHCheat trigger, affected devices, leaked fields, impact, and vendor response">
<meta name="twitter:card" content="summary_large_image">
<meta name="twitter:title" content="CVE-2026-34474: ZTE H298A / H108N Credential Leak via ETHCheat">
<meta name="twitter:description" content="Unauthenticated ETHCheat requests return admin and WLAN secrets in the page markup on affected ZTE H298A and H108N router builds.">
<meta name="twitter:image" content="https://minanagehsalalma.github.io/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure/images/a0c8f47a-95e3-4fba-a99a-9984f4df84d2.png">
<link rel="canonical" href="https://minanagehsalalma.github.io/cve-2026-34474-zte-h298a-h108n-sensitive-data-exposure/">
<link rel="icon" href="favicon.svg" type="image/svg+xml">
<link rel="preconnect" href="https://fonts.googleapis.com">
<link rel="preconnect" href="https://fonts.gstatic.com" crossorigin>
<link href="https://fonts.googleapis.com/css2?family=JetBrains+Mono:wght@400;500;700&family=Space+Grotesk:wght@400;500;700&display=swap" rel="stylesheet">
<link rel="stylesheet" href="assets/site.css?v=34474-5">
</head>
<body>
<div class="shell">
<header class="nav">
<a class="brand" href="#top">CVE-2026-34474</a>
<button class="nav-toggle" type="button" aria-expanded="false" aria-controls="nav-links">
<span class="sr-only">Toggle navigation</span>
<span></span>
<span></span>
<span></span>
</button>
<nav class="nav-links" id="nav-links" aria-label="Sections">
<a href="#summary">Summary</a>
<a href="#evidence">Evidence</a>
<a href="#root-cause">Root Cause</a>
<a href="#affected-devices">Devices</a>
<a href="#timeline">Timeline</a>
<a href="#code">Markup</a>
<a href="#sources">Sources</a>
</nav>
</header>
<section class="hero" id="top">
<div class="hero-grid">
<div class="hero-copy">
<div class="eyebrow">Sensitive Data Exposure</div>
<h1>
<span class="hero-id">CVE-2026-34474</span>
<span class="hero-title-main">ZTE H298A / H108N</span>
<span class="hero-title-sub">Credential Leak via ETHCheat</span>
</h1>
<figure class="image-card hero-artifact hero-artifact-inline">
<a class="image-link" href="images/a0c8f47a-95e3-4fba-a99a-9984f4df84d2.png" aria-label="Open full-size hero infographic">
<img src="images/a0c8f47a-95e3-4fba-a99a-9984f4df84d2.png" alt="Infographic overview of the ETHCheat exploit path showing the trigger request, affected devices, leaked fields, impact, and vendor response">
</a>
<figcaption>Infographic overview of the unauthenticated <code>ETHCheat</code> path, the affected H298A and H108N builds, the leaked markup fields, and the vendor's discontinued/out-of-scope position.</figcaption>
</figure>
<p class="sub">I validated an unauthenticated credential leak in ZTE ZXHN H298A and H108N web interfaces and preserved the original 2024 PoC material in this repo. The observed trigger is a crafted request to <code>getpage.lua?pid=1000&ETHCheat=1</code>; on the affected builds, the returned HTML contains the administrator password, ESSID, and WLAN PSK, while a companion wizard endpoint also exposes serial information. That turns a single unauthenticated page load into both management-panel compromise and Wi-Fi credential disclosure.</p>
<div class="meta-strip" aria-label="Key properties">
<span class="pill pill-danger">No authentication</span>
<span class="pill pill-info">LAN by default, wider if admin UI is exposed</span>
<span class="pill pill-warn">Admin and WLAN credential leak</span>
<span class="pill pill-ok">Public CVE published 2026-05-06</span>
</div>
</div>
<aside class="hero-side">
<section class="stat-card mobile-collapsible" data-collapsed-mobile="true">
<button class="card-toggle" type="button" aria-expanded="true">
<span class="stat-label">Executive Summary</span>
<span class="card-toggle-icon" aria-hidden="true"></span>
</button>
<div class="card-body">
<dl class="facts-list">
<div><dt>Attack requirement</dt><dd>Reachability to the router web UI</dd></div>
<div><dt>Method</dt><dd>Crafted GET request with <code>ETHCheat=1</code></dd></div>
<div><dt>Impact</dt><dd>Admin password, WLAN PSK, ESSID, and serial disclosure</dd></div>
<div><dt>Affected targets</dt><dd>ZXHN H298A 1.1 and H108N 2.6</dd></div>
<div><dt>First vendor disclosure</dt><dd>2024-05-02</dd></div>
<div><dt>Public CVE</dt><dd>CVE-2026-34474</dd></div>
</dl>
</div>
</section>
<section class="stat-card compact-status-card mobile-collapsible" data-collapsed-mobile="true">
<button class="card-toggle" type="button" aria-expanded="true">
<span class="stat-label">Status</span>
<span class="card-toggle-icon" aria-hidden="true"></span>
</button>
<div class="card-body">
<div class="compact-status-list">
<span><strong>Public CVE Assigned:</strong> CVE-2026-34474</span>
<span style="color: #ef4444;"><strong>Vendor Position:</strong> discontinued / out of scope</span>
<span><strong>CVE record published:</strong> 2026-05-06</span>
<span><strong>Evidence preserved:</strong> original 2024 PoC scripts, screenshots, and report package</span>
<span><strong>Scope in the public record:</strong> H298A 1.1 and H108N 2.6</span>
</div>
</div>
</section>
<section class="stat-card hero-links-card">
<span class="stat-label">Links</span>
<div class="badge-links">
<a href="https://github.com/minanagehsalalma" aria-label="GitHub profile">
<img src="https://img.shields.io/badge/GitHub-minanagehsalalma-111827?style=for-the-badge&logo=github" alt="GitHub badge">
</a>
<a href="https://www.linkedin.com/in/minanagehzekry/" aria-label="LinkedIn profile">
<img src="https://img.shields.io/badge/LinkedIn-Mina%20Zekry-0A66C2?style=for-the-badge&logo=linkedin&logoColor=white" alt="LinkedIn badge">
</a>
<a href="https://x.com/MonxResearch" aria-label="X profile">
<img src="https://img.shields.io/badge/X-MonxResearch-111827?style=for-the-badge&logo=x" alt="X badge">
</a>
<a href="https://medium.com/@monxresearch" aria-label="Medium profile">
<img src="https://img.shields.io/badge/Medium-@monxresearch-12100E?style=for-the-badge&logo=medium" alt="Medium badge">
</a>
</div>
<div class="cta-row hero-cta-row">
<a class="button" href="https://www.cve.org/CVERecord?id=CVE-2026-34474">CVE Record</a>
<a class="ghost" href="https://nvd.nist.gov/vuln/detail/CVE-2026-34474">NVD</a>
</div>
</section>
</aside>
</div>
</section>
<div class="layout">
<main>
<section class="panel summary-panel" id="summary">
<div class="summary-head">
<span class="stat-label">Summary</span>
<h2>Executive Summary</h2>
</div>
<p class="summary-lead">The exploit path is a direct authentication-boundary failure. An unauthenticated request to <code>/getpage.lua</code> with <code>pid=1000&ETHCheat=1</code> returns credential-bearing HTML on the affected H298A 1.1 and H108N 2.6 builds, including the administrator password and WLAN PSK. A related wizard endpoint also leaks serial information, showing that the disclosure surface is broader than one isolated DOM field.</p>
<div class="summary-grid">
<section class="summary-block">
<h3>Root Cause</h3>
<p>The unauthenticated <code>ETHCheat</code> path returns privileged configuration data inside the response body itself. The leak is visible in rendered HTML and can be harvested directly from hidden input values.</p>
</section>
<section class="summary-block">
<h3>Exploit Path</h3>
<ol class="flow-list compact-flow">
<li>Send <code>GET /getpage.lua</code> with <code>pid=1000&ETHCheat=1</code>.</li>
<li>The response returns credential-bearing HTML fields without login.</li>
<li>
Extract
<span class="summary-chip-list">
<code>OBJ_USERINFO_IDPassword1</code>
<code>WLANPSK_KeyPassphrase1</code>
<code>WLANAP_ESSID1</code>
</span>
</li>
<li>Query <code>wizard_overETHfail_set_lua.lua</code> for serial data.</li>
<li>Use the leaked admin and WLAN secrets to cross the auth boundary.</li>
</ol>
</section>
<section class="summary-block takeaway-block">
<h3>Key Takeaway</h3>
<p>This is not a weak-password issue. The management interface itself discloses the live secrets to unauthenticated callers on the affected builds.</p>
</section>
</div>
</section>
<section class="request-panel" id="evidence">
<div class="request-head">
<div>
<h2>Trigger Requests</h2>
<p>Observed requests preserved in the original PoC material.</p>
</div>
<span class="mini-pill">Unauthenticated GET</span>
</div>
<pre><code id="request-evidence">GET /getpage.lua?pid=1000&ETHCheat=1
GET /wizard_page/wizard_overETHfail_set_lua.lua
Representative fields extracted by the PoC:
- OBJ_USERINFO_IDPassword1
- WLANPSK_KeyPassphrase1
- WLANAP_ESSID1
- SerialNumber</code></pre>
<p class="request-note">The extraction script in <code>poc/extract_ethcheat_credentials.py</code> does not depend on browser state. It simply requests the page and regex-matches the secrets from the returned markup.</p>
</section>
<section class="panel" id="affected-devices">
<h2>Affected Devices</h2>
<p>The public CVE record is scoped to the locally reported and tested H-series-adjacent targets below: <strong>ZTE ZXHN H298A 1.1</strong> and <strong>ZTE ZXHN H108N 2.6</strong>. The original evidence set also notes that some same-model variants exposed only partial identifiers such as username, ESSID, serial number, or MAC address rather than the full admin-and-WLAN secret set.</p>
<div class="chips chips-grid">
<span class="tag">ZXHN H298A</span>
<span class="tag">V1.1</span>
<span class="tag">ZXHN H108N</span>
<span class="tag">V2.6</span>
<span class="tag">ETHCheat path</span>
<span class="tag">Wizard serial endpoint</span>
</div>
</section>
<section class="panel validation-panel">
<div class="validation-shell">
<div class="validation-header">
<div class="validation-title-group">
<span class="validation-icon" aria-hidden="true">
<svg viewBox="0 0 24 24" role="presentation" focusable="false">
<path d="M9 3h6M10 3v5l-5 8a3 3 0 0 0 2.5 5h9a3 3 0 0 0 2.5-5l-5-8V3" />
<path d="M8.5 15h7" />
</svg>
</span>
<div>
<h2>PoC Snapshot</h2>
<p>The original 2024 proof set included an automated extractor and supporting screenshots. The public writeup uses redacted sample output while preserving the original artifacts in this repo.</p>
</div>
</div>
</div>
<article class="code-card terminal-card">
<div class="code-head">
<div>
<strong>Example PoC run</strong>
<span>Redacted output based on the preserved extraction script and field names.</span>
</div>
<button class="copy-button" type="button" data-copy-target="validation-poc">Copy</button>
</div>
<pre><code id="validation-poc" class="terminal-output"><span class="term-line"><span class="term-prompt">PS></span> <span class="term-command">python .\poc\extract_ethcheat_credentials.py</span></span>
<span class="term-line"><span class="term-ok">[+]</span> <span class="term-label">endpoint</span> <span class="term-dots">.............</span> <span class="term-value">/getpage.lua?pid=1000&ETHCheat=1</span></span>
<span class="term-line"><span class="term-ok">[+]</span> <span class="term-label">admin_password</span> <span class="term-dots">....</span> <span class="term-redacted">[REDACTED]</span></span>
<span class="term-line"><span class="term-ok">[+]</span> <span class="term-label">wlan_psk</span> <span class="term-dots">...........</span> <span class="term-redacted">[REDACTED]</span></span>
<span class="term-line"><span class="term-ok">[+]</span> <span class="term-label">essid</span> <span class="term-dots">..............</span> <span class="term-redacted">[REDACTED]</span></span>
<span class="term-line"><span class="term-ok">[+]</span> <span class="term-label">serial_number</span> <span class="term-dots">......</span> <span class="term-redacted">[REDACTED]</span></span>
<span class="term-line"><span class="term-ok">[+]</span> <span class="term-label">result</span> <span class="term-dots">.............</span> <span class="term-result">credential leak confirmed</span></span></code></pre>
</article>
<div class="evidence-grid">
<figure class="image-card figure-panel evidence-card">
<a class="image-link" href="images/ethcheat-overview.png" aria-label="Open full-size ETHCheat overview screenshot">
<img src="images/ethcheat-overview.png" alt="Original 2024 screenshot captured during ETHCheat validation">
</a>
<figcaption><strong>ETHCheat path.</strong> Original local screenshot from the 2024 validation set used to preserve the leak behavior of the crafted management-page request.</figcaption>
</figure>
<figure class="image-card figure-panel evidence-card">
<a class="image-link" href="images/ethcheat-response.png" aria-label="Open full-size ETHCheat response screenshot">
<img src="images/ethcheat-response.png" alt="Original 2024 screenshot showing a related response captured during validation">
</a>
<figcaption><strong>Response capture.</strong> Companion screenshot from the same evidence set showing the returned data surface used by the extraction script.</figcaption>
</figure>
</div>
</div>
</section>
<section class="panel">
<h2>Impact and Limits</h2>
<div class="limit-grid">
<div class="limit-card">
<h3>Impact</h3>
<ul>
<li>The returned administrator password allows direct access to the management interface on affected builds.</li>
<li>The WLAN PSK disclosure extends the impact beyond the web panel and into local network access.</li>
<li>Serial and identifier leakage provides additional device intelligence even on reduced-disclosure variants.</li>
</ul>
</div>
<div class="limit-card">
<h3>Limits</h3>
<ul>
<li>The public CVE record currently names only H298A 1.1 and H108N 2.6.</li>
<li>Some same-model variants reportedly leaked a smaller field set instead of the full admin-and-WLAN secret set.</li>
<li>While the underlying server-side Lua implementation for the <code>ETHCheat</code> branch remains opaque, the black-box exposure is absolute: the router deterministically serves plaintext secrets to unauthenticated callers.</li>
</ul>
</div>
</div>
</section>
<section class="panel" id="root-cause">
<h2>Root Cause Analysis</h2>
<p>This is not a weak-password or brute-force issue; it is a fundamental breakdown of the authentication boundary. Four details highlight the severity of this exposure:</p>
<div class="firmware-grid">
<article class="limit-card firmware-card">
<h3>1. The trigger is deterministic</h3>
<p>The PoC does not rely on timing, session reuse, or post-auth state. A direct GET request to <code>getpage.lua?pid=1000&ETHCheat=1</code> is enough to reproduce the disclosure path on the affected builds.</p>
</article>
<article class="limit-card firmware-card">
<h3>2. The secrets are in the response body</h3>
<p>The administrator password and WLAN PSK are not inferred indirectly. The extraction script pulls them from named HTML fields such as <code>OBJ_USERINFO_IDPassword1</code> and <code>WLANPSK_KeyPassphrase1</code>.</p>
</article>
<article class="limit-card firmware-card">
<h3>3. A related endpoint leaks device identity data</h3>
<p>The companion request to <code>wizard_overETHfail_set_lua.lua</code> exposes the serial number in structured output, which shows the disclosure surface is broader than one page template.</p>
</article>
<article class="limit-card firmware-card">
<h3>4. Variant behavior differs, but the auth boundary still fails</h3>
<p>Even where the same model family leaks only username, ESSID, serial, or MAC address, the router is still returning sensitive management data to an unauthenticated caller. The core bug is the same broken trust boundary.</p>
</article>
</div>
</section>
<section class="panel" id="firmware-trail">
<h2>Evidence Boundaries</h2>
<p>This repo preserves the original proof material and the later CVE-assignment trail. The exposure is validated through black-box testing and deterministic response capturing, proving the vulnerability exists at the highest impact level even without access to the proprietary server-side Lua implementation.</p>
<div class="firmware-grid">
<article class="limit-card firmware-card">
<h3>What The Current Evidence Shows</h3>
<ul>
<li>The leak is reproducible with unauthenticated requests.</li>
<li>The extracted values are named directly in the returned markup and structured endpoint output.</li>
<li>The impact aligns with the official CVE record: information disclosure leading to auth bypass and Wi-Fi compromise.</li>
</ul>
</article>
<article class="limit-card firmware-card">
<h3>Open Reverse-Engineering Track</h3>
<ul>
<li>Recover the exact server-side implementation that honors <code>ETHCheat=1</code>.</li>
<li>Map the code path that populates <code>OBJ_USERINFO_IDPassword1</code> and <code>WLANPSK_KeyPassphrase1</code>.</li>
<li>Determine whether later operator builds removed the branch entirely or only reduced the returned field set.</li>
</ul>
</article>
</div>
</section>
<section class="panel" id="code">
<h2>Where the Leak Appears in Returned Markup</h2>
<p>The current strongest technical evidence is not a decompiled source file; it is the returned content itself and the field names the extractor reads from it.</p>
<article class="code-card">
<div class="code-head">
<div>
<strong>Credential-bearing HTML fields</strong>
<span>Reconstructed from the original page captures and extraction script.</span>
</div>
<button class="copy-button" type="button" data-copy-target="markup-snippet">Copy</button>
</div>
<pre><code id="markup-snippet" class="language-html"><input id='OBJ_USERINFO_IDPassword1' value='[REDACTED]' />
<input id='WLANAP_ESSID1' value='[REDACTED]' />
<input id='WLANPSK_KeyPassphrase1' value='[REDACTED]' /></code></pre>
</article>
<article class="code-card">
<div class="code-head">
<div>
<strong>Related serial-number disclosure</strong>
<span>Pattern pulled by <code>poc/check_serialnumber_endpoint.py</code>.</span>
</div>
<button class="copy-button" type="button" data-copy-target="serial-snippet">Copy</button>
</div>
<pre><code id="serial-snippet" class="language-xml"><ParaName>SerialNumber</ParaName>
<ParaValue>[REDACTED]</ParaValue></code></pre>
</article>
</section>
<section class="panel">
<h2>Vendor Position</h2>
<p>ZTE PSIRT acknowledged the original report in May 2024 and later stated on <strong>2026-02-02</strong> that the H298A and H108N products had been discontinued in <strong>2022</strong> and <strong>2023</strong> respectively, placing them outside the scope of vulnerability submission and declining vendor-side CVE assignment.</p>
<p>MITRE later assigned <strong>CVE-2026-34474</strong> and requested a public reference URL. That is why this writeup focuses on preserving the original proof material and the technical minimum needed to anchor the public record, even though a vendor remediation narrative is not available.</p>
</section>
<section class="panel" id="sources">
<h2>Sources</h2>
<p>Primary public references used to anchor the official record and the vendor's public EOS position.</p>
<div class="reference-cards">
<a class="reference-card" href="https://www.cve.org/CVERecord?id=CVE-2026-34474">
<strong>CVE Record</strong>
<span>Official description and publication record for CVE-2026-34474</span>
</a>
<a class="reference-card" href="https://nvd.nist.gov/vuln/detail/CVE-2026-34474">
<strong>NVD</strong>
<span>NVD publication record for the same issue</span>
</a>
<a class="reference-card" href="https://gist.github.com/minanagehsalalma/7a8516b9b00d0008f2f25750320560c9">
<strong>Public Advisory Gist</strong>
<span>Public reference URL submitted to MITRE after assignment</span>
</a>
<a class="reference-card" href="https://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1018804">
<strong>ZTE EOS Notice</strong>
<span>Vendor link cited by ZTE for one of the affected products</span>
</a>
<a class="reference-card" href="https://support.zte.com.cn/support/news/NewsDetail.aspx?newsId=1022344">
<strong>ZTE EOS Notice</strong>
<span>Second vendor EOS link cited in the 2026 decline message</span>
</a>
</div>
</section>
</main>
<aside class="sidebar">
<section class="source-card">
<h3>Disclosure Status</h3>
<ul>
<li><strong>Initial report:</strong> 2024-05-02</li>
<li><strong>Vendor acknowledgment:</strong> 2024-05-06</li>
<li><strong>Vendor CVE decline:</strong> 2026-02-02</li>
<li><strong>Assigned public ID:</strong> CVE-2026-34474</li>
</ul>
</section>
<section class="source-card" id="author">
<h3>Author</h3>
<p><strong>Mina Zekry</strong></p>
</section>
</aside>
</div>
<section class="panel timeline-panel" id="timeline">
<h2>Disclosure Timeline</h2>
<div class="timeline">
<article class="timeline-item">
<strong>2024-05-02</strong>
<p>ZTE PSIRT received the original H298A / H108N report covering the <code>ETHCheat</code> credential leak and companion serial-disclosure path.</p>
</article>
<article class="timeline-item">
<strong>2024-05-06</strong>
<p>ZTE acknowledged receipt of the report.</p>
</article>
<article class="timeline-item">
<strong>2024-05-08</strong>
<p>ZTE verified the issue and referenced EOS announcements for the impacted product line.</p>
</article>
<article class="timeline-item">
<strong>2026-01-17</strong>
<p>MITRE service request <strong>1980204</strong> was opened with the three original ZTE issue packages, including the H298A / H108N evidence set.</p>
</article>
<article class="timeline-item">
<strong>2026-02-02</strong>
<p>ZTE declined vendor-side CVE assignment and said the two affected products had been discontinued in <strong>2022</strong> and <strong>2023</strong>.</p>
</article>
<article class="timeline-item">
<strong>2026-03-27</strong>
<p>MITRE assigned <strong>CVE-2026-34474</strong> and requested a public reference URL containing the minimum publication data.</p>
</article>
<article class="timeline-item">
<strong>2026-03-30</strong>
<p>The public advisory reference was sent to MITRE, and publication follow-up was opened under service request <strong>2016046</strong>.</p>
</article>
<article class="timeline-item">
<strong>2026-05-06</strong>
<p><strong>CVE-2026-34474</strong> was published on <code>cve.org</code> and appeared in NVD the same day.</p>
</article>
</div>
</section>
<footer class="footer">
Technical breakdown updated on 2026-05-18 from preserved 2024 validation material, the original report package, and the 2024-2026 disclosure trail.
</footer>
</div>
<div class="lightbox" id="image-lightbox" hidden aria-hidden="true">
<button class="lightbox-backdrop" type="button" data-lightbox-close tabindex="-1" aria-label="Close image viewer"></button>
<div class="lightbox-dialog" role="dialog" aria-modal="true" aria-labelledby="lightbox-caption">
<button class="lightbox-close" type="button" data-lightbox-close aria-label="Close image viewer">Close</button>
<img class="lightbox-image" id="lightbox-image" alt="">
<p class="lightbox-caption" id="lightbox-caption"></p>
</div>
</div>
<script src="assets/site.js?v=34474-5"></script>
</body>
</html>