Cyber Resilience

CVE-2018-25318

CriticalPublic PoC

Published: 29 April 2026

Published
29 April 2026
Modified
04 May 2026
KEV Added
Patch
CVSS Score v4 9.3 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0065 46.6th percentile
Risk Priority 70 floored blend · peak EPSS

Summary

CVE-2018-25318 is a critical-severity Authentication Bypass by Spoofing (CWE-290) vulnerability in Tenda Fh303 Firmware. Its CVSS base score is 9.3 (Critical).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 46.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SC-23 (Session Authenticity).

Deeper analysis

CVE-2018-25318 is a session weakness vulnerability in Tenda FH303/A300 firmware version V5.07.68_EN, arising from insufficient cookie validation. This flaw allows unauthenticated attackers to modify DNS settings on affected devices.

Remote attackers with network access can exploit the vulnerability by sending crafted GET requests to the /goform/AdvSetDns endpoint, using a spoofed admin cookie. Successful exploitation enables attackers to alter DNS servers, redirecting user traffic to malicious sites and potentially enabling further attacks like phishing or malware distribution. The issue carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), reflecting critical severity across confidentiality, integrity, and availability impacts, and is associated with CWE-290.

Relevant advisories and resources include an exploit entry on Exploit-DB at https://www.exploit-db.com/exploits/44381 and a Vulncheck advisory at https://www.vulncheck.com/advisories/tenda-fh303-a300-68-en-cookie-session-weakness-dns-change.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers…

more

and redirect user traffic to malicious sites.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

Vulnerability is an auth bypass in a public-facing router web management interface (/goform/AdvSetDns) allowing unauthenticated DNS config changes via crafted requests.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2018-25316Same vendor: Tenda
CVE-2018-25317Same vendor: Tenda
CVE-2025-29357Same vendor: Tenda
CVE-2025-1853Same vendor: Tenda
CVE-2026-5841Same vendor: Tenda
CVE-2025-12225Same vendor: Tenda
CVE-2025-7420Same vendor: Tenda
CVE-2025-7747Same vendor: Tenda
CVE-2025-7795Same vendor: Tenda
CVE-2026-3379Same vendor: Tenda

Affected Assets

tenda
fh303 firmware
5.07.68_en
tenda
a300 firmware
5.07.68_en

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Protects the authenticity of web sessions by requiring validation of session cookies, directly preventing exploitation of insufficient cookie validation to spoof admin access.

prevent

Enforces approved authorizations for accessing sensitive endpoints like DNS configuration, blocking unauthenticated requests with crafted cookies.

prevent

Manages authenticators including session cookies by requiring protection against unauthorized modification and proper validation mechanisms.

References