ETHCheat path, the affected H298A and H108N builds, the leaked markup fields, and the vendor's discontinued/out-of-scope position.I validated an unauthenticated credential leak in ZTE ZXHN H298A and H108N web interfaces and preserved the original 2024 PoC material in this repo. The observed trigger is a crafted request to getpage.lua?pid=1000ÐCheat=1; on the affected builds, the returned HTML contains the administrator password, ESSID, and WLAN PSK, while a companion wizard endpoint also exposes serial information. That turns a single unauthenticated page load into both management-panel compromise and Wi-Fi credential disclosure.
The exploit path is a direct authentication-boundary failure. An unauthenticated request to /getpage.lua with pid=1000ÐCheat=1 returns credential-bearing HTML on the affected H298A 1.1 and H108N 2.6 builds, including the administrator password and WLAN PSK. A related wizard endpoint also leaks serial information, showing that the disclosure surface is broader than one isolated DOM field.
The unauthenticated ETHCheat path returns privileged configuration data inside the response body itself. The leak is visible in rendered HTML and can be harvested directly from hidden input values.
GET /getpage.lua with pid=1000ÐCheat=1.OBJ_USERINFO_IDPassword1
WLANPSK_KeyPassphrase1
WLANAP_ESSID1
wizard_overETHfail_set_lua.lua for serial data.This is not a weak-password issue. The management interface itself discloses the live secrets to unauthenticated callers on the affected builds.
Observed requests preserved in the original PoC material.
GET /getpage.lua?pid=1000ÐCheat=1
GET /wizard_page/wizard_overETHfail_set_lua.lua
Representative fields extracted by the PoC:
- OBJ_USERINFO_IDPassword1
- WLANPSK_KeyPassphrase1
- WLANAP_ESSID1
- SerialNumberThe extraction script in poc/extract_ethcheat_credentials.py does not depend on browser state. It simply requests the page and regex-matches the secrets from the returned markup.
The public CVE record is scoped to the locally reported and tested H-series-adjacent targets below: ZTE ZXHN H298A 1.1 and ZTE ZXHN H108N 2.6. The original evidence set also notes that some same-model variants exposed only partial identifiers such as username, ESSID, serial number, or MAC address rather than the full admin-and-WLAN secret set.
The original 2024 proof set included an automated extractor and supporting screenshots. The public writeup uses redacted sample output while preserving the original artifacts in this repo.
PS> python .\poc\extract_ethcheat_credentials.py
[+] endpoint ............. /getpage.lua?pid=1000ÐCheat=1
[+] admin_password .... [REDACTED]
[+] wlan_psk ........... [REDACTED]
[+] essid .............. [REDACTED]
[+] serial_number ...... [REDACTED]
[+] result ............. credential leak confirmed
ETHCheat branch remains opaque, the black-box exposure is absolute: the router deterministically serves plaintext secrets to unauthenticated callers.This is not a weak-password or brute-force issue; it is a fundamental breakdown of the authentication boundary. Four details highlight the severity of this exposure:
The PoC does not rely on timing, session reuse, or post-auth state. A direct GET request to getpage.lua?pid=1000ÐCheat=1 is enough to reproduce the disclosure path on the affected builds.
The administrator password and WLAN PSK are not inferred indirectly. The extraction script pulls them from named HTML fields such as OBJ_USERINFO_IDPassword1 and WLANPSK_KeyPassphrase1.
The companion request to wizard_overETHfail_set_lua.lua exposes the serial number in structured output, which shows the disclosure surface is broader than one page template.
Even where the same model family leaks only username, ESSID, serial, or MAC address, the router is still returning sensitive management data to an unauthenticated caller. The core bug is the same broken trust boundary.
This repo preserves the original proof material and the later CVE-assignment trail. The exposure is validated through black-box testing and deterministic response capturing, proving the vulnerability exists at the highest impact level even without access to the proprietary server-side Lua implementation.
ETHCheat=1.OBJ_USERINFO_IDPassword1 and WLANPSK_KeyPassphrase1.The current strongest technical evidence is not a decompiled source file; it is the returned content itself and the field names the extractor reads from it.
<input id='OBJ_USERINFO_IDPassword1' value='[REDACTED]' />
<input id='WLANAP_ESSID1' value='[REDACTED]' />
<input id='WLANPSK_KeyPassphrase1' value='[REDACTED]' />poc/check_serialnumber_endpoint.py.
<ParaName>SerialNumber</ParaName>
<ParaValue>[REDACTED]</ParaValue>ZTE PSIRT acknowledged the original report in May 2024 and later stated on 2026-02-02 that the H298A and H108N products had been discontinued in 2022 and 2023 respectively, placing them outside the scope of vulnerability submission and declining vendor-side CVE assignment.
MITRE later assigned CVE-2026-34474 and requested a public reference URL. That is why this writeup focuses on preserving the original proof material and the technical minimum needed to anchor the public record, even though a vendor remediation narrative is not available.
Primary public references used to anchor the official record and the vendor's public EOS position.
ZTE PSIRT received the original H298A / H108N report covering the ETHCheat credential leak and companion serial-disclosure path.
ZTE acknowledged receipt of the report.
ZTE verified the issue and referenced EOS announcements for the impacted product line.
MITRE service request 1980204 was opened with the three original ZTE issue packages, including the H298A / H108N evidence set.
ZTE declined vendor-side CVE assignment and said the two affected products had been discontinued in 2022 and 2023.
MITRE assigned CVE-2026-34474 and requested a public reference URL containing the minimum publication data.
The public advisory reference was sent to MITRE, and publication follow-up was opened under service request 2016046.
CVE-2026-34474 was published on cve.org and appeared in NVD the same day.