CVE-2018-25316
Received Received - Intake
Tenda W308R v2 Session Weakness Allows DNS Modification

Publication date: 2026-04-29

Last updated on: 2026-05-04

Assigner: VulnCheck

Description
Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-29
Last Modified
2026-05-04
Generated
2026-06-16
AI Q&A
2026-04-29
EPSS Evaluated
2026-06-15
NVD
CVE-2018-25316
EUVD
EUVD-2018-21837
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
tenda w308r_firmware 5.07.48
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-290 This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The vulnerability exists in Tenda W308R v2 firmware version V5.07.48 and involves a cookie session weakness. This weakness allows unauthenticated attackers to bypass proper session validation.

By exploiting this flaw, attackers can send specially crafted GET requests to the goform/AdvSetDns endpoint using a manipulated admin language cookie. This enables them to modify the DNS settings on the device.

Changing DNS settings can redirect user traffic to malicious websites without the user's knowledge.

Impact Analysis

This vulnerability can have severe impacts because it allows attackers to control DNS settings without authentication.

  • Users' internet traffic can be redirected to malicious sites, potentially leading to phishing attacks, malware infections, or data interception.
  • Since the attack requires no user interaction or privileges, it poses a high risk of exploitation.
  • The high CVSS scores (9.3 in v4.0 and 9.8 in v3.1) indicate critical severity, meaning the vulnerability can lead to complete compromise of confidentiality, integrity, and availability.
Compliance Impact

The vulnerability allows unauthenticated attackers to modify DNS settings and redirect user traffic to malicious sites, which can lead to unauthorized access, data interception, and potential data breaches.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure data integrity and confidentiality.

By enabling attackers to redirect traffic and potentially intercept or manipulate data, this vulnerability could result in violations of these regulations' security requirements.

Executive Summary

CVE-2018-25316 is a critical vulnerability in the Tenda W308R v2 router firmware version 5.07.48 caused by a cookie session weakness. This flaw allows unauthenticated attackers to bypass authentication by exploiting insufficient session validation.

Attackers can send specially crafted GET requests to the router's goform/AdvSetDns endpoint with a manipulated admin language cookie, enabling them to change the DNS server settings on the device.

By modifying DNS settings, attackers can redirect user traffic to malicious websites, potentially leading to further attacks.

Impact Analysis

Exploitation of this vulnerability allows attackers to redirect your internet traffic to malicious sites by changing the DNS settings on your router without authentication.

  • Users may be exposed to phishing attacks by being redirected to fake websites.
  • Attackers can replace legitimate advertisements with malicious ones, potentially leading to adware infections.
  • Malicious actors can control and redirect network traffic, increasing the risk of malware infections and data interception.
Detection Guidance

This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP GET requests sent to the router's goform/AdvSetDns endpoint with unusual or crafted admin language cookies.

Network administrators can use tools like curl or wget to simulate such requests and check if the router accepts DNS changes without proper authentication.

  • Use curl to send a crafted GET request to the vulnerable endpoint and observe the response:
  • curl -v --cookie "admin_lang=crafted_value" "http://<router_ip>/goform/AdvSetDns?dns1=8.8.8.8&dns2=8.8.4.4"
  • Check router DNS settings before and after the request to detect unauthorized changes.
  • Monitor network traffic for DNS server changes or redirection to malicious sites.
Mitigation Strategies

Immediate mitigation steps include restricting access to the router's web interface to trusted networks or IP addresses only.

Disable remote management features if enabled to prevent external exploitation.

Change default credentials and ensure strong authentication mechanisms are in place.

Monitor and audit DNS settings regularly to detect unauthorized changes.

If available, update the router firmware to a version that patches this vulnerability.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2018-25316. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart