Tenda Routers: CVE-2018-25317 Allows Unauthenticated DNS Hijacking
The National Vulnerability Database reports a critical cookie session weakness, CVE-2018-25317, impacting Tenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en. This vulnerability, rated 9.8 CVSS (CRITICAL), allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation.
Attackers can leverage this flaw by sending crafted GET requests to the /goform/AdvSetDns endpoint. By manipulating an admin language cookie, they can change both primary and secondary DNS servers on the device. This effectively redirects user traffic to malicious DNS servers, enabling various attacks like phishing, man-in-the-middle, or distributing malware.
While the specific scope of affected products beyond the listed models remains unspecified by the National Vulnerability Database, the implications are severe. Compromised routers become a pivot point, allowing attackers to control internet resolution for all connected devices. This bypasses typical endpoint security measures and places users directly into an attacker-controlled network segment, even without direct access to their devices.
What This Means For You
- If your organization or remote workforce utilizes Tenda W3002R, A302, or W309R wireless routers, immediately verify their firmware version. If you are running V5.07.64_en or older, assume compromise risk. Isolate these devices and replace them with supported hardware, as a patch for this specific CVE from 2018 is unlikely. Audit network traffic for unusual DNS queries originating from or passing through these devices.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
Tenda Router Unauthenticated DNS Hijacking Attempt (CVE-2018-25317)
title: Tenda Router Unauthenticated DNS Hijacking Attempt (CVE-2018-25317)
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2018-25317 by sending a GET request to the /goform/AdvSetDns endpoint with parameters to modify DNS settings. This indicates an unauthenticated attacker attempting to hijack DNS resolution on a vulnerable Tenda router.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25317/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri|contains:
- '/goform/AdvSetDns'
cs-method|exact:
- 'GET'
uri|contains:
- 'primary_dns='
uri|contains:
- 'secondary_dns='
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25317 | Vulnerability | CVE-2018-25317 |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow
CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...
CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection
CVE-2026-34965 — Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject...
CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking
CVE-2018-25318 — Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers...