CVE-2018-25317
Published: 29 April 2026
Summary
CVE-2018-25317 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tenda W3002R Firmware. Its CVSS base score is 9.8 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Enforces approved authorizations on sensitive endpoints like /goform/AdvSetDns, preventing unauthenticated attackers from modifying DNS settings.
Protects the authenticity of sessions by validating session cookies, directly countering the crafted admin language cookie exploitation.
Applies least privilege to restrict DNS configuration changes to authorized entities, mitigating impacts of the authentication bypass.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Direct unauthenticated exploitation of the router web management interface (/goform endpoint) maps to T1190; resulting unauthorized DNS modification enables name resolution poisoning for MITM attacks.
NVD Description
Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie…
more
to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.
Deeper analysisAI
CVE-2018-25317 is a cookie session weakness vulnerability in Tenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en. The flaw stems from insufficient session validation, enabling attackers to modify DNS settings without authentication. Specifically, attackers can send GET requests to the /goform/AdvSetDns endpoint using a crafted admin language cookie to alter the primary and secondary DNS servers. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-290 (Authentication Bypass Missing Authorization).
Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting and sending the malicious GET request, they can redirect all user traffic through malicious DNS servers, potentially enabling man-in-the-middle attacks, phishing, or further network compromise.
Advisories and exploit details are documented in references including an Exploit-DB entry at https://www.exploit-db.com/exploits/44380 and a Vulncheck advisory at https://www.vulncheck.com/advisories/tenda-w3002r-a302-w309r-64-en-cookie-session-weakness-dns-change.
Details
- CWE(s)