Cyber Posture

CVE-2018-25318

CriticalPublic PoC

Published: 29 April 2026

Published
29 April 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0016 36.6th percentile
Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2018-25318 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tenda Fh303 Firmware. Its CVSS base score is 9.8 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 36.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SC-23 Session Authenticity good match
prevent

Protects the authenticity of web sessions by requiring validation of session cookies, directly preventing exploitation of insufficient cookie validation to spoof admin access.

AC-3 Access Enforcement good match
prevent

Enforces approved authorizations for accessing sensitive endpoints like DNS configuration, blocking unauthenticated requests with crafted cookies.

IA-5 Authenticator Management partial match
prevent

Manages authenticators including session cookies by requiring protection against unauthorized modification and proper validation mechanisms.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

Vulnerability is an auth bypass in a public-facing router web management interface (/goform/AdvSetDns) allowing unauthenticated DNS config changes via crafted requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

NVD Description

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers…

more

and redirect user traffic to malicious sites.

Deeper analysisAI

CVE-2018-25318 is a session weakness vulnerability in Tenda FH303/A300 firmware version V5.07.68_EN, arising from insufficient cookie validation. This flaw allows unauthenticated attackers to modify DNS settings on affected devices.

Remote attackers with network access can exploit the vulnerability by sending crafted GET requests to the /goform/AdvSetDns endpoint, using a spoofed admin cookie. Successful exploitation enables attackers to alter DNS servers, redirecting user traffic to malicious sites and potentially enabling further attacks like phishing or malware distribution. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity across confidentiality, integrity, and availability impacts, and is associated with CWE-290.

Relevant advisories and resources include an exploit entry on Exploit-DB at https://www.exploit-db.com/exploits/44381 and a Vulncheck advisory at https://www.vulncheck.com/advisories/tenda-fh303-a300-68-en-cookie-session-weakness-dns-change.

Details

CWE(s)
CWE-290

Affected Products

tenda
fh303 firmware
5.07.68_en
tenda
a300 firmware
5.07.68_en

CVEs Like This One

CVE-2018-25316Same vendor: Tenda
CVE-2018-25317Same vendor: Tenda
CVE-2025-55603Same vendor: Tenda
CVE-2025-15008Same vendor: Tenda
CVE-2026-3379Same vendor: Tenda
CVE-2025-11123Same vendor: Tenda
CVE-2024-57704Same vendor: Tenda
CVE-2025-14992Same vendor: Tenda
CVE-2025-11527Same vendor: Tenda
CVE-2026-6988Same vendor: Tenda

References