CVE-2026-34473: ZTE Router DoS Vulnerability

CVE-2026-34473 Overview

CVE-2026-34473 is an unauthenticated denial-of-service (DoS) vulnerability affecting multiple ZTE residential gateway routers. An attacker can crash the router's web management interface by sending an oversized application/x-www-form-urlencoded POST body. Once triggered, the management interface stops responding until the device is rebooted. The flaw is classified under CWE-400: Uncontrolled Resource Consumption and requires no authentication or user interaction. The reporter observed the issue on firmware versions prior to 2022, while ZTE states that devices shipped after 2021-03-23 are not vulnerable. Operator-customized firmware images may still be affected.

Critical Impact

Remote unauthenticated attackers can render the router management interface unresponsive over the network, requiring a physical or administrative reboot to restore availability.

Affected Products

• ZTE residential gateway models: H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A
• ZTE residential gateway models: H388X, H196A, H369A, H268N, H208N, H367N, H181A, H196Q
• Firmware versions prior to 2022 per reporter; operator-distributed firmware may differ from ZTE baseline

Discovery Timeline

• 2026-05-06 - CVE-2026-34473 published to the National Vulnerability Database (NVD)
• 2026-05-06 - Last updated in NVD database

Technical Details for CVE-2026-34473

Vulnerability Analysis

The vulnerability resides in the HTTP request handling logic of the ZTE router's embedded web management interface. The server fails to enforce a reasonable size limit on incoming application/x-www-form-urlencoded POST request bodies. When an attacker submits an oversized form-encoded payload, the device exhausts available memory or processing resources allocated to the management daemon. The attack is reachable across the network without credentials, making any LAN-side host a potential source. In some deployments where the management interface is exposed to the WAN, remote internet-based attackers can also trigger the condition.

Root Cause

The root cause is uncontrolled resource consumption [CWE-400] during request body parsing. The HTTP server accepts arbitrarily large form-encoded bodies and attempts to buffer or process them without bounding the allocation. This design omission allows a single small request to consume disproportionate resources on the constrained embedded device.

Attack Vector

An unauthenticated attacker on a network path to the router sends a single HTTP POST request with a Content-Type: application/x-www-form-urlencoded header and an oversized body. The web interface becomes unresponsive immediately after processing the request. Recovery requires a manual reboot. Attackers can repeatedly issue the request to maintain a persistent denial-of-service condition against the device's management plane. Refer to the GitHub Gist proof-of-concept for the request structure.

No verified exploit code is reproduced here. The technical mechanism involves a single oversized HTTP POST body delivered to the router's web management endpoint, with no authentication exchange and no special headers beyond the standard form-encoded content type.

Detection Methods for CVE-2026-34473

Indicators of Compromise

• HTTP POST requests to the router's management interface with Content-Type: application/x-www-form-urlencoded and abnormally large Content-Length values
• Sudden loss of responsiveness from the router web administration port (typically TCP 80 or 443) following a single inbound POST
• Repeated identical large POST requests originating from a single LAN or WAN source IP address

Detection Strategies

• Monitor network traffic to ZTE router management interfaces for HTTP POST bodies that exceed expected sizes for legitimate form submissions
• Alert on management interface availability failures correlated with inbound HTTP traffic spikes
• Inspect router system logs for memory pressure events, watchdog resets, or HTTP daemon restarts

Monitoring Recommendations

• Baseline normal management traffic volume and request sizes, then alert on deviations
• Track router uptime and unexpected reboots across the device fleet using SNMP or syslog telemetry
• Restrict and log access attempts to router management interfaces from untrusted network segments

How to Mitigate CVE-2026-34473

Immediate Actions Required

• Identify all affected ZTE gateway models in the environment and confirm firmware build dates against the 2021-03-23 supplier baseline
• Disable WAN-side access to the router web management interface and restrict LAN access to trusted administrative hosts only
• Contact the operator or internet service provider distributing the device to request firmware verification or update

Patch Information

ZTE states that devices manufactured after 2021-03-23 are not vulnerable. Operators that distribute customized firmware images should validate their builds against the vendor baseline. Consult the ZTE Global Security Overview for vendor advisories and firmware update channels. No specific patched firmware version is identified in the published CVE record.

Workarounds

• Place the router management interface behind an access control list that permits only specific administrative source IPs
• Disable remote management features such as TR-069 WAN access where not operationally required
• Deploy an upstream network device or firewall rule that drops HTTP POST requests with Content-Length values exceeding a defined threshold for the management port
• Schedule periodic reboots and monitor management plane availability to detect and recover from active DoS attempts

# Example iptables rule to limit inbound POST size to the management interface
# Drops packets to TCP 80 on the router from untrusted networks
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 \
  -m connlimit --connlimit-above 5 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 \
  -s <trusted_admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP