CVE-2026-34473: Pre-auth ZTE H-series router DoS via CGILua request-body parsing

Disclosure: this is my own research/writeup. I reported this ZTE H-series router DoS in 2024; it is now public as CVE-2026-34473. The writeup focuses on the root cause rather than just the symptom. The issue is not simply “large POST body kills the UI.” Firmware analysis maps the behavior to CGILua request-body parsing: attacker-controlled application/x-www-form-urlencoded POST data reaches body handling before login enforcement matters. The article includes validation footage, affected-model context, disclosure timeline, decompiled parser evidence, and reconstructed public-safe code-path notes. Interested in feedback on the root-cause framing from people who review embedded web stacks or router firmware. open for collabs too. submitted by /u/TheReedemer69 [link] [comments]Technical Information Security Content & DiscussionRead More