CVE-2018-25316
Tenda W308R v2 Session Weakness Allows DNS Modification
Publication date: 2026-04-29
Last updated on: 2026-05-04
Assigner: VulnCheck
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| tenda | w308r_firmware | 5.07.48 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-290 | This attack-focused weakness is caused by incorrectly implemented authentication schemes that are subject to spoofing attacks. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
The vulnerability exists in Tenda W308R v2 firmware version V5.07.48 and involves a cookie session weakness. This weakness allows unauthenticated attackers to bypass proper session validation.
By exploiting this flaw, attackers can send specially crafted GET requests to the goform/AdvSetDns endpoint using a manipulated admin language cookie. This enables them to modify the DNS settings on the device.
Changing DNS settings can redirect user traffic to malicious websites without the user's knowledge.
How can this vulnerability impact me? :
This vulnerability can have severe impacts because it allows attackers to control DNS settings without authentication.
- Users' internet traffic can be redirected to malicious sites, potentially leading to phishing attacks, malware infections, or data interception.
- Since the attack requires no user interaction or privileges, it poses a high risk of exploitation.
- The high CVSS scores (9.3 in v4.0 and 9.8 in v3.1) indicate critical severity, meaning the vulnerability can lead to complete compromise of confidentiality, integrity, and availability.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability allows unauthenticated attackers to modify DNS settings and redirect user traffic to malicious sites, which can lead to unauthorized access, data interception, and potential data breaches.
Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive data against unauthorized access and ensure data integrity and confidentiality.
By enabling attackers to redirect traffic and potentially intercept or manipulate data, this vulnerability could result in violations of these regulations' security requirements.
Can you explain this vulnerability to me?
CVE-2018-25316 is a critical vulnerability in the Tenda W308R v2 router firmware version 5.07.48 caused by a cookie session weakness. This flaw allows unauthenticated attackers to bypass authentication by exploiting insufficient session validation.
Attackers can send specially crafted GET requests to the router's goform/AdvSetDns endpoint with a manipulated admin language cookie, enabling them to change the DNS server settings on the device.
By modifying DNS settings, attackers can redirect user traffic to malicious websites, potentially leading to further attacks.
How can this vulnerability impact me? :
Exploitation of this vulnerability allows attackers to redirect your internet traffic to malicious sites by changing the DNS settings on your router without authentication.
- Users may be exposed to phishing attacks by being redirected to fake websites.
- Attackers can replace legitimate advertisements with malicious ones, potentially leading to adware infections.
- Malicious actors can control and redirect network traffic, increasing the risk of malware infections and data interception.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by monitoring for unauthorized or suspicious HTTP GET requests sent to the router's goform/AdvSetDns endpoint with unusual or crafted admin language cookies.
Network administrators can use tools like curl or wget to simulate such requests and check if the router accepts DNS changes without proper authentication.
- Use curl to send a crafted GET request to the vulnerable endpoint and observe the response:
- curl -v --cookie "admin_lang=crafted_value" "http://<router_ip>/goform/AdvSetDns?dns1=8.8.8.8&dns2=8.8.4.4"
- Check router DNS settings before and after the request to detect unauthorized changes.
- Monitor network traffic for DNS server changes or redirection to malicious sites.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include restricting access to the router's web interface to trusted networks or IP addresses only.
Disable remote management features if enabled to prevent external exploitation.
Change default credentials and ensure strong authentication mechanisms are in place.
Monitor and audit DNS settings regularly to detect unauthorized changes.
If available, update the router firmware to a version that patches this vulnerability.