CVE-2018-25318: Tenda Router Vulnerability Allows DNS Hijacking
The National Vulnerability Database highlights CVE-2018-25318, a critical session weakness in Tenda FH303/A300 firmware V5.07.68_EN. This vulnerability, rated 9.8 CVSS, stems from insufficient cookie validation, enabling unauthenticated attackers to modify DNS settings. This isn’t just a configuration tweak; it’s a direct path to full traffic redirection.
Attackers can exploit this by sending crafted GET requests to the /goform/AdvSetDns endpoint with a fabricated admin cookie. The lack of proper session validation means they don’t need to authenticate. Once DNS settings are altered, all user traffic passing through the affected router can be rerouted to malicious sites, facilitating phishing, malware distribution, or credential theft. This is a classic man-in-the-middle scenario at the network edge.
While the National Vulnerability Database does not specify affected products beyond the firmware version, the impact is clear: any organization or individual using these specific Tenda router models is at severe risk. The attacker’s calculus here is simple: target a common, often unmanaged, edge device to gain broad control over user traffic with minimal effort, bypassing endpoint security controls entirely.
What This Means For You
- If your organization or home network uses Tenda FH303/A300 routers with firmware V5.07.68_EN, you are exposed to critical DNS hijacking. Immediately check your router firmware version and replace or upgrade any vulnerable devices. There is no patching this — it's a fundamental design flaw.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2018-25318: Tenda Router DNS Hijacking Attempt
title: CVE-2018-25318: Tenda Router DNS Hijacking Attempt
id: scw-2026-04-29-ai-1
status: experimental
level: critical
description: |
Detects attempts to exploit CVE-2018-25318 by sending a GET request to the /goform/AdvSetDns endpoint with a crafted admin cookie. This indicates an unauthenticated attacker attempting to modify DNS settings on a Tenda router, leading to DNS hijacking and potential redirection to malicious sites.
author: SCW Feed Engine (AI-generated)
date: 2026-04-29
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2018-25318/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: webserver
detection:
selection:
cs-uri:
- '/goform/AdvSetDns'
cs-method:
- 'GET'
cs-uri-query|contains:
- 'admin=1'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2018-25318 | Auth Bypass | Tenda FH303/A300 firmware V5.07.68_EN |
| CVE-2018-25318 | Misconfiguration | Insufficient cookie validation |
| CVE-2018-25318 | Code Injection | GET request to /goform/AdvSetDns endpoint with crafted admin cookie |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 29, 2026 at 23:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-7426: FreeRTOS-Plus-TCP IPv6 RA Heap Overflow
CVE-2026-7426 — Insufficient validation of the prefix length field in IPv6 Router Advertisement processing in FreeRTOS-Plus-TCP before V4.2.6 and V4.4.1 allows an adjacent network actor...
CVE-2026-34965: Cockpit CMS RCE via PHP Code Injection
CVE-2026-34965 — Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject...
Tenda Routers: CVE-2018-25317 Allows Unauthenticated DNS Hijacking
CVE-2018-25317 — Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient...