CVE-2018-25316
Published: 29 April 2026
Summary
CVE-2018-25316 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tenda W308R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly addresses the cookie session weakness by requiring protection of the authenticity of communications sessions to prevent unauthenticated modification of DNS settings via crafted cookies.
Enforces approved authorizations for access to system resources like the DNS configuration endpoint, mitigating insufficient session validation that allows unauthenticated changes.
Validates inputs such as the crafted admin language cookie sent to the goform/AdvSetDns endpoint to block unauthorized DNS server modifications.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of public web management interface (/goform/AdvSetDns) on network device to modify configuration (DNS).
NVD Description
Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change…
more
DNS servers and redirect user traffic to malicious sites.
Deeper analysisAI
CVE-2018-25316 is a cookie session weakness vulnerability affecting the Tenda W308R v2 router on firmware version V5.07.48. The flaw arises from insufficient session validation, enabling unauthenticated attackers to modify DNS settings via crafted requests. It is classified under CWE-290 and carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), marking it as critical due to its high impact on confidentiality, integrity, and availability.
Unauthenticated remote attackers can exploit this vulnerability by sending GET requests to the /goform/AdvSetDns endpoint with a specially crafted "admin language" cookie. Successful exploitation allows attackers to alter the device's DNS server configurations, redirecting user traffic to malicious sites for purposes such as phishing or further compromise.
Advisories and proof-of-concept exploits are documented in key references, including Exploit-DB at https://www.exploit-db.com/exploits/44373 and a Vulncheck advisory at https://www.vulncheck.com/advisories/tenda-w308r-v2-cookie-session-weakness-dns-change. Security practitioners should review these sources for detailed reproduction steps and any vendor-recommended mitigations.
Details
- CWE(s)