Full Disclosure mailing list archives

-----BEGIN SECURITY ADVISORY-----

Advisory ID:    MONX-2021-001
CVE ID:         CVE-2021-21735
Title:          ZTE ZXHN H168N V3.5 - Unauthenticated Wizard Credential
Disclosure to Full Admin Compromise
Affected:       ZTE ZXHN H168N V3.5
Date:           2026-05-20
Author:         Mina Nageh Salalma (Monx Research)
Contact:        minanageh379 () gmail com
Public URL:
https://github.com/minanagehsalalma/cve-2021-21735-zte-zxhn-h168n-admin-compromise
MITRE:          https://www.cve.org/CVERecord?id=CVE-2021-21735


VULNERABILITY DESCRIPTION
--------------------------
The ZTE ZXHN H168N V3.5 firmware exposes quick-setup wizard endpoints that
return PPPoE credentials (ADUsername, VDUsername) and the WLAN KeyPassphrase
via the GetPassword action without requiring authentication. The firmware
routing allowlists these endpoints through a QuickSetupEnable branch.

In ISP-deployed configurations where the Wi-Fi password is reused as the
default admin password, this credential disclosure is a full admin
compromise
chain requiring a single unauthenticated HTTP request.

A bulk PoC script (zte_zxhn_h168n_bulk_poc.py) is included in the repository
for verifying scale of exposure.

CREDITS
-------
Mina Nageh Salalma (Monx Research)
https://github.com/minanagehsalalma

-----END SECURITY ADVISORY-----
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

• [SECURITY ADVISORY] CVE-2021-21735 - ZTE ZXHN H168N V3.5 Unauthenticated Admin Credential Leak m.nageh (May 25)