Description
Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router's web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary.
Published: 2026-05-06
Score: 7.5 High
EPSS: 1.6% Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An unauthenticated denial‑of‑service flaw exists in the web interface of several ZTE router models. By sending an oversized application/x‑www‑form‑urlencoded POST body, an attacker can trigger a crash or hang in the management interface. Once activated the router’s administrative interface becomes unusable until a reboot is performed, disrupting remote management and potentially exposing the device to further attack.

Affected Systems

Affected devices are ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. The vulnerability applies to firmware released before 2022, as observed by the reporter; the vendor asserts that models with firmware updates from 2021‑03‑23 onward are no longer vulnerable, although operator firmware may vary across deployments.

Risk and Exploitability

The vulnerability is exploitable without authentication or special privileges, making it suitable for widespread disruption. The EPSS score of 2% indicates a low but measurable probability of exploitation, suggesting that the vulnerability may be attempted in real‑world environments. The CVSS score of 7.5 indicates a high severity for the denial‑of‑service condition, which can render the router’s web interface inoperable until a reboot and potentially disrupt business continuity. The vendor has not listed the issue in CISA’s KEV catalog, but the public advisory indicates an open‑to‑all risk that requires urgent attention.

Generated by OpenCVE AI on May 30, 2026 at 15:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade router firmware to a release made after 2021‑03‑23, which the vendor claims removes the vulnerability.
  • Configure the router or a perimeter firewall to reject HTTP POST requests with a Content‑Length greater than a reasonable threshold (e.g., 10 KB) to the administrative URLs, thereby limiting the oversized payload attack vector.
  • If the web‑based management interface is not required, disable it or bind it to a local network only, removing exposure to external attackers.
  • Continuously monitor the router’s management interface for unresponsiveness and schedule an automatic reboot if a DoS event is detected.

Generated by OpenCVE AI on May 30, 2026 at 15:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Sat, 30 May 2026 15:30:00 +0000

Type Values Removed Values Added
Title Unauthenticated Denial-of-Service via Oversized POST to ZTE Router Web Interface

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
References

Thu, 07 May 2026 21:45:00 +0000

Type Values Removed Values Added
First Time appeared Zte
Zte h167a
Zte h168n
Zte h181a
Zte h196a
Zte h196q
Zte h198a
Zte h199a
Zte h208n
Zte h267a
Zte h267n
Zte h268a
Zte h268n
Zte h288a
Zte h367n
Zte h369a
Zte h388x
Zte h8102e
Vendors & Products Zte
Zte h167a
Zte h168n
Zte h181a
Zte h196a
Zte h196q
Zte h198a
Zte h199a
Zte h208n
Zte h267a
Zte h267n
Zte h268a
Zte h268n
Zte h288a
Zte h367n
Zte h369a
Zte h388x
Zte h8102e

Thu, 07 May 2026 01:15:00 +0000

Type Values Removed Values Added
Title Unauthenticated Denial-of-Service via Oversized POST to ZTE Router Web Interface

Wed, 06 May 2026 23:15:00 +0000

Type Values Removed Values Added
Title DoS Vulnerability in ZTE Router Web Interface via Oversized POST Payload
Weaknesses CWE-119
CWE-770

Wed, 06 May 2026 21:30:00 +0000

Type Values Removed Values Added
Title DoS Vulnerability in ZTE Router Web Interface via Oversized POST Payload
Weaknesses CWE-119
CWE-770

Wed, 06 May 2026 20:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 06 May 2026 19:15:00 +0000

Type Values Removed Values Added
Description Unauthenticated DoS in ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. A denial-of-service condition can be triggered against the router's web interface by sending an oversized application/x-www-form-urlencoded POST body. After triggering, the management interface may become unresponsive until the device is rebooted. This may affect any firmware version prior to 2022 (reporter observation). The supplier stated that devices are not vulnerable since 2021-03-23; operator firmware may vary.
References
cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-05-26T05:20:51.185Z

Reserved: 2026-03-27T00:00:00.000Z

Link: CVE-2026-34473

cve-icon Vulnrichment

Updated: 2026-05-26T05:20:51.185Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-05-06T19:16:36.413

Modified: 2026-05-26T07:16:18.467

Link: CVE-2026-34473

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-30T15:15:16Z

Weaknesses