CVE-2018-25317 CRITICAL

CVE-2018-25317: Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change

Vendor Tenda
Product W3002R
Weakness CWE-290
Published April 29, 2026
Last update April 30, 2026

CVSS base score

9.3/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

What the vulnerability does

01Description

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.

Key dates

02Disclosure timeline

April 29, 2026 CVE published
April 30, 2026 Record updated