{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/cve-2018-25316/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25316"}],"_cs_exploited":false,"_cs_products":["W308R v2"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25316","dns-hijacking","tenda","cookie-injection"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eTenda W308R v2 running firmware V5.07.48 is susceptible to a cookie session weakness (CVE-2018-25316) that enables unauthenticated attackers to perform DNS hijacking. This vulnerability stems from insufficient session validation. An attacker can exploit this weakness by sending specially crafted GET requests to the \u003ccode\u003egoform/AdvSetDns\u003c/code\u003e endpoint. The malicious request includes a crafted admin language cookie, which bypasses authentication checks and allows modification of the device\u0026rsquo;s DNS server settings. Successful exploitation allows the attacker to redirect the router\u0026rsquo;s DNS queries to a malicious server under their control. This poses a significant risk to end-users, as it can lead to phishing attacks, malware distribution, and other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda W308R v2 router running firmware V5.07.48 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003egoform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe GET request includes a crafted \u0026ldquo;admin language cookie\u0026rdquo; designed to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe router receives the malicious GET request and, due to insufficient session validation, incorrectly authenticates the attacker.\u003c/li\u003e\n\u003cli\u003eThe router processes the malicious request, modifying the DNS server settings to attacker-controlled DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the compromised router now resolve domain names through the attacker\u0026rsquo;s DNS server.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s DNS server redirects users to malicious websites, potentially serving malware or phishing pages.\u003c/li\u003e\n\u003cli\u003eUsers unknowingly interact with the malicious content, leading to data theft, system compromise, or other harmful outcomes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to control DNS resolution for all devices connected to the affected Tenda W308R v2 router. This can lead to widespread redirection to phishing sites designed to steal credentials, or to sites hosting malware that infects user devices. Given the widespread use of Tenda routers, this vulnerability could impact a large number of home and small business networks. A successful attack allows the attacker to perform man-in-the-middle attacks, eavesdrop on network traffic, and compromise connected devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tenda Router DNS Hijack Attempt\u003c/code\u003e to identify attempts to exploit this vulnerability by monitoring for suspicious requests to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint (log source: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing a crafted admin language cookie to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint, indicating potential exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003cli\u003eApply available patches or firmware updates from Tenda to address the cookie session weakness and prevent unauthorized DNS modifications.\u003c/li\u003e\n\u003cli\u003eConsider replacing the affected device if a patch is unavailable, especially in high-risk environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:27Z","date_published":"2026-04-29T20:16:27Z","id":"/briefs/2026-04-tenda-dns-hijack/","summary":"Tenda W308R v2 V5.07.48 is vulnerable to cookie session weakness, allowing unauthenticated attackers to modify DNS settings via crafted GET requests to redirect user traffic to malicious sites.","title":"Tenda W308R DNS Hijacking Vulnerability (CVE-2018-25316)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijack/"}],"language":"en","title":"CraftedSignal Threat Feed — Cve-2018-25316","version":"https://jsonfeed.org/version/1.1"}