Cyber Resilience

CVE-2018-25316

CriticalPublic PoC

Published: 29 April 2026

Published
29 April 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2018-25316 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tenda W308R Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2018-25316 is a cookie session weakness vulnerability affecting the Tenda W308R v2 router on firmware version V5.07.48. The flaw arises from insufficient session validation, enabling unauthenticated attackers to modify DNS settings via crafted requests. It is classified under CWE-290 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.

Unauthenticated remote attackers can exploit this vulnerability by sending GET requests to the /goform/AdvSetDns endpoint with a specially crafted "admin language" cookie. Successful exploitation allows attackers to alter the device's DNS server configurations, redirecting user traffic to malicious sites for purposes such as phishing or further compromise.

Advisories and proof-of-concept exploits are documented in key references, including Exploit-DB at https://www.exploit-db.com/exploits/44373 and a Vulncheck advisory at https://www.vulncheck.com/advisories/tenda-w308r-v2-cookie-session-weakness-dns-change. Security practitioners should review these sources for detailed reproduction steps and any vendor-recommended mitigations.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change…

more

DNS servers and redirect user traffic to malicious sites.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Direct unauthenticated exploitation of public web management interface (/goform/AdvSetDns) on network device to modify configuration (DNS).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25318Same vendor: Tenda
CVE-2018-25317Same vendor: Tenda
CVE-2025-29357Same vendor: Tenda
CVE-2025-1853Same vendor: Tenda
CVE-2026-5841Same vendor: Tenda
CVE-2025-12225Same vendor: Tenda
CVE-2025-7420Same vendor: Tenda
CVE-2025-7747Same vendor: Tenda
CVE-2025-7795Same vendor: Tenda
CVE-2026-3379Same vendor: Tenda

Affected Assets

tenda
w308r firmware
5.07.48

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly addresses the cookie session weakness by requiring protection of the authenticity of communications sessions to prevent unauthenticated modification of DNS settings via crafted cookies.

prevent

Enforces approved authorizations for access to system resources like the DNS configuration endpoint, mitigating insufficient session validation that allows unauthenticated changes.

prevent

Validates inputs such as the crafted admin language cookie sent to the goform/AdvSetDns endpoint to block unauthorized DNS server modifications.

References