<?xml version="1.0" encoding="utf-8" standalone="yes"?><rss version="2.0" xmlns:atom="http://www.w3.org/2005/Atom" xmlns:content="http://purl.org/rss/1.0/modules/content/"><channel><title>ZXHN H188A - CraftedSignal Threat Feed</title><link>https://feed.craftedsignal.io/products/zxhn-h188a/</link><description>Trending threats, MITRE ATT&amp;CK coverage, and detection metadata. Fed continuously.</description><generator>Hugo</generator><language>en</language><managingEditor>hello@craftedsignal.io</managingEditor><webMaster>hello@craftedsignal.io</webMaster><lastBuildDate>Wed, 03 Jan 2024 12:00:00 +0000</lastBuildDate><atom:link href="https://feed.craftedsignal.io/products/zxhn-h188a/feed.xml" rel="self" type="application/rss+xml"/><item><title>ZTE ZXHN H188A Unauthenticated Credential Disclosure (CVE-2026-34472)</title><link>https://feed.craftedsignal.io/briefs/2024-01-03-zte-zxhn-credential-disclosure/</link><pubDate>Wed, 03 Jan 2024 12:00:00 +0000</pubDate><author>hello@craftedsignal.io</author><guid isPermaLink="true">https://feed.craftedsignal.io/briefs/2024-01-03-zte-zxhn-credential-disclosure/</guid><description>CVE-2026-34472 allows unauthenticated attackers on the local network to retrieve sensitive credentials from vulnerable ZTE ZXHN H188A routers via the web management interface, potentially leading to unauthorized access and control.</description><content:encoded><![CDATA[<p>CVE-2026-34472 is a critical vulnerability affecting ZTE ZXHN H188A routers, specifically versions V6.0.10P2_TE and V6.0.10P3N3_TE. This vulnerability allows an unauthenticated attacker on the local network to access sensitive information, including the default administrator password, WLAN PSK, and PPPoE credentials. The vulnerability resides within the router's web management interface and arises from insufficient access controls. Successful exploitation grants attackers the ability to potentially perform configuration changes without authentication, leading to a complete compromise of the device and connected network. Defenders need to prioritize detection and mitigation of this vulnerability to prevent unauthorized access and potential data breaches.</p>
<h2 id="attack-chain">Attack Chain</h2>
<ol>
<li>The attacker gains access to the local network where the vulnerable ZTE ZXHN H188A router is connected.</li>
<li>The attacker sends a crafted HTTP request to the router's web management interface on port 80 or 443.</li>
<li>The vulnerable router processes the request without proper authentication checks.</li>
<li>The router discloses sensitive information, including the default administrator password, WLAN PSK, and PPPoE credentials, in the HTTP response.</li>
<li>The attacker uses the obtained administrator password to log into the web management interface.</li>
<li>The attacker modifies router settings, such as DNS servers, firewall rules, or WLAN configurations.</li>
<li>The attacker intercepts network traffic or redirects users to malicious websites.</li>
<li>The attacker gains complete control over the router and the connected network.</li>
</ol>
<h2 id="impact">Impact</h2>
<p>Successful exploitation of CVE-2026-34472 allows attackers to gain complete control over the vulnerable ZTE ZXHN H188A router and the connected network. This could lead to data breaches, malware infections, and denial-of-service attacks. Given the potential for unauthorized access and control, this vulnerability poses a significant risk to both home and small business networks. The number of affected devices and networks is currently unknown, but the widespread use of these routers suggests a potentially large attack surface.</p>
<h2 id="recommendation">Recommendation</h2>
<ul>
<li>Deploy the Sigma rule <code>Detect ZTE ZXHN H188A Credential Disclosure Attempt</code> to your SIEM to detect suspicious HTTP requests targeting the router's web management interface.</li>
<li>Disable remote access to the router's web management interface to reduce the attack surface.</li>
<li>If possible, replace the vulnerable ZTE ZXHN H188A router with a more secure model.</li>
<li>Monitor network traffic for unusual DNS queries or connections to suspicious IP addresses after applying this patch using network_connection and dns_query logs.</li>
</ul>
]]></content:encoded><category domain="severity">critical</category><category domain="type">advisory</category><category>credential-access</category><category>router</category><category>zte</category><category>cve-2026-34472</category></item></channel></rss>