CVE-2018-25316: Tenda Router Flaw Exposes DNS Hijacking Risk
The National Vulnerability Database has detailed CVE-2018-25316, a critical vulnerability affecting Tenda W308R v2 routers running firmware V5.07.48. This flaw stems from insufficient session validation, allowing unauthenticated attackers to hijack DNS settings. By crafting a specific cookie in a GET request to the goform/AdvSetDns endpoint, an attacker can effectively redirect all user traffic to malicious websites, making it a potent tool for man-in-the-middle attacks and widespread redirection campaigns.
The National Vulnerability Database highlights a CVSS score of 9.8, underscoring the severity. Attackers can achieve this remotely without any user interaction or prior authentication. This means any internet-facing Tenda W308R v2 router on the specified firmware version is a potential target. The implications are severe: attackers can poison DNS caches, serve fake websites, and intercept sensitive data from unsuspecting users connected to the compromised network.
What This Means For You
- If your organization utilizes Tenda W308R v2 routers with firmware V5.07.48, immediately investigate and update firmware to the latest available version. If updates are not immediately feasible, consider segmenting these devices from critical internal networks and implementing stricter firewall rules to limit external access to management interfaces.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2018-25316: Tenda W308R DNS Hijacking via Crafted Cookie
title: CVE-2018-25316: Tenda W308R DNS Hijacking via Crafted Cookie
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2018-25316 by sending a GET request to the '/goform/AdvSetDns' endpoint with a crafted 'admin language' cookie. This indicates an unauthenticated attacker attempting to modify DNS settings on a Tenda W308R router.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25316/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/goform/AdvSetDns'
cs-method|exact:
- 'GET'
referer|contains:
- 'cookie: admin language='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25316 | Auth Bypass | Tenda W308R v2 V5.07.48 |
| CVE-2018-25316 | Misconfiguration | Insufficient session validation |
| CVE-2018-25316 | DNS Hijacking | GET request to goform/AdvSetDns endpoint with crafted admin language cookie |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow
CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...
CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection
CVE-2026-34965 — Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject...
CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking
CVE-2018-25318 — Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers...