An unauthenticated denial‑of‑service flaw exists in the web interface of several ZTE router models. By sending an oversized application/x‑www‑form‑urlencoded POST body, an attacker can trigger a crash or hang in the management interface. Once activated the router’s administrative interface becomes unusable until a reboot is performed, disrupting remote management and potentially exposing the device to further attack.

Affected devices are ZTE H8102E, H168N, H167A, H199A, H288A, H198A, H267A, H267N, H268A, H388X, H196A, H369A, H268N, H208N, H367N, H181A, and H196Q. The vulnerability applies to firmware released before 2022, as observed by the reporter; the vendor asserts that models with firmware updates from 2021‑03‑23 onward are no longer vulnerable, although operator firmware may vary across deployments.

The vulnerability is exploitable without authentication or special privileges, making it suitable for widespread disruption. With no EPSS data available, the absolute risk remains uncertain, but the lack of authentication and the severe impact on network management suggest a high threat level. The CVSS score of 7.5 indicates a high severity for the denial‑of‑service condition, which can render the router’s web interface inoperable until a reboot and potentially disrupt business continuity. The vendor has not listed the issue in CISA’s KEV catalog, but the public advisory indicates an open‑to‑all risk that requires urgent attention.