Unauthenticated DoS Vulnerability in ZTE Routers
CVE-2026-34473

7.5HIGH

Key Information:

Vendor: ZTE
Status: H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, H196Q
Vendor: CVE Published:; 6 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-34473?

An unauthenticated denial-of-service vulnerability exists in multiple models of ZTE routers, allowing an attacker to send an oversized application/x-www-form-urlencoded POST body to the management interface. This can render the device unresponsive until it is rebooted. Devices running firmware versions older than 2022 may be particularly affected, although the supplier has indicated that devices post-March 2021 may not be vulnerable, depending on operator firmware variations.

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

cve-2026-34473-unauthenticated-dos-zte-routers
Created by minanagehsalalma

References

https://www.zte.com.cn/global/

https://gist.github.com/minanagehsalalma/7a8516b9b00d0008...

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 16, 2026
👾
Exploit known to exist
May 16, 2026
Vulnerability published
May 6, 2026
Vulnerability Reserved
Mar 27, 2026

CVE-2026-34473 Data

JSON