Cyber Resilience

CVE-2018-25317

CriticalPublic PoC

Published: 29 April 2026

Published
29 April 2026
Modified
05 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2018-25317 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tenda W3002R Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2018-25317 is a cookie session weakness vulnerability in Tenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en. The flaw stems from insufficient session validation, enabling attackers to modify DNS settings without authentication. Specifically, attackers can send GET requests to the /goform/AdvSetDns endpoint using a crafted admin language cookie to alter the primary and secondary DNS servers. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-290 (Authentication Bypass Missing Authorization).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting and sending the malicious GET request, they can redirect all user traffic through malicious DNS servers, potentially enabling man-in-the-middle attacks, phishing, or further network compromise.

Advisories and exploit details are documented in references including an Exploit-DB entry at https://www.exploit-db.com/exploits/44380 and a Vulncheck advisory at https://www.vulncheck.com/advisories/tenda-w3002r-a302-w309r-64-en-cookie-session-weakness-dns-change.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie…

more

to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1557.001 Name Resolution Poisoning and SMB Relay Credential Access
By responding to LLMNR/NBT-NS/mDNS network traffic, adversaries may spoof an authoritative source for name resolution to force communication with an adversary controlled system.
Why these techniques?

Direct unauthenticated exploitation of the router web management interface (/goform endpoint) maps to T1190; resulting unauthorized DNS modification enables name resolution poisoning for MITM attacks.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25316Same vendor: Tenda
CVE-2018-25318Same vendor: Tenda
CVE-2025-29357Same vendor: Tenda
CVE-2025-1853Same vendor: Tenda
CVE-2026-5841Same vendor: Tenda
CVE-2025-12225Same vendor: Tenda
CVE-2025-7420Same vendor: Tenda
CVE-2025-7747Same vendor: Tenda
CVE-2025-7795Same vendor: Tenda
CVE-2026-3379Same vendor: Tenda

Affected Assets

tenda
w3002r firmware
5.07.64_en
tenda
a302 firmware
5.07.64_en
tenda
w309r firmware
5.07.64_en

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces approved authorizations on sensitive endpoints like /goform/AdvSetDns, preventing unauthenticated attackers from modifying DNS settings.

prevent

Protects the authenticity of sessions by validating session cookies, directly countering the crafted admin language cookie exploitation.

prevent

Applies least privilege to restrict DNS configuration changes to authorized entities, mitigating impacts of the authentication bypass.

References