CVE-2018-25317

CriticalPublic PoC

Published: 29 April 2026

Published

29 April 2026

Modified

05 May 2026

KEV Added

—

Patch

—

CVSS Score 9.8 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0016 36.6th percentile

Risk Priority 20 60% EPSS · 20% KEV · 20% CVSS

Description

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie…

to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.

Mitigating Controls (NIST 800-53 r5)AI

AC-3 Access Enforcement good match

prevent

Enforces approved authorizations on sensitive endpoints like /goform/AdvSetDns, preventing unauthenticated attackers from modifying DNS settings.

SC-23 Session Authenticity good match

prevent

Protects the authenticity of sessions by validating session cookies, directly countering the crafted admin language cookie exploitation.

AC-6 Least Privilege partial match

prevent

Applies least privilege to restrict DNS configuration changes to authorized entities, mitigating impacts of the authentication bypass.

Security SummaryAI

CVE-2018-25317 is a cookie session weakness vulnerability in Tenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en. The flaw stems from insufficient session validation, enabling attackers to modify DNS settings without authentication. Specifically, attackers can send GET requests to the /goform/AdvSetDns endpoint using a crafted admin language cookie to alter the primary and secondary DNS servers. The vulnerability carries a CVSS v3.1 base score of 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) and is associated with CWE-290 (Authentication Bypass Missing Authorization).

Unauthenticated remote attackers can exploit this vulnerability over the network with low complexity and no user interaction required. By crafting and sending the malicious GET request, they can redirect all user traffic through malicious DNS servers, potentially enabling man-in-the-middle attacks, phishing, or further network compromise.

Advisories and exploit details are documented in references including an Exploit-DB entry at https://www.exploit-db.com/exploits/44380 and a Vulncheck advisory at https://www.vulncheck.com/advisories/tenda-w3002r-a302-w309r-64-en-cookie-session-weakness-dns-change.

Details

CWE(s): CWE-290

Affected Products

tenda

w3002r firmware

5.07.64_en

tenda

a302 firmware

5.07.64_en

tenda

w309r firmware

5.07.64_en

References

https://www.exploit-db.com/exploits/44380
Exploit, Third Party Advisory, VDB Entry · disclosure@vulncheck.com
https://www.vulncheck.com/advisories/tenda-w3002r-a302-w309r-64-en-cookie-session-weakness-dns-change
Third Party Advisory · disclosure@vulncheck.com