{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/dns-hijacking/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25316"}],"_cs_exploited":false,"_cs_products":["W308R v2"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25316","dns-hijacking","tenda","cookie-injection"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eTenda W308R v2 running firmware V5.07.48 is susceptible to a cookie session weakness (CVE-2018-25316) that enables unauthenticated attackers to perform DNS hijacking. This vulnerability stems from insufficient session validation. An attacker can exploit this weakness by sending specially crafted GET requests to the \u003ccode\u003egoform/AdvSetDns\u003c/code\u003e endpoint. The malicious request includes a crafted admin language cookie, which bypasses authentication checks and allows modification of the device\u0026rsquo;s DNS server settings. Successful exploitation allows the attacker to redirect the router\u0026rsquo;s DNS queries to a malicious server under their control. This poses a significant risk to end-users, as it can lead to phishing attacks, malware distribution, and other malicious activities.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker identifies a vulnerable Tenda W308R v2 router running firmware V5.07.48 exposed to the internet.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003egoform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe GET request includes a crafted \u0026ldquo;admin language cookie\u0026rdquo; designed to bypass authentication.\u003c/li\u003e\n\u003cli\u003eThe router receives the malicious GET request and, due to insufficient session validation, incorrectly authenticates the attacker.\u003c/li\u003e\n\u003cli\u003eThe router processes the malicious request, modifying the DNS server settings to attacker-controlled DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the compromised router now resolve domain names through the attacker\u0026rsquo;s DNS server.\u003c/li\u003e\n\u003cli\u003eThe attacker\u0026rsquo;s DNS server redirects users to malicious websites, potentially serving malware or phishing pages.\u003c/li\u003e\n\u003cli\u003eUsers unknowingly interact with the malicious content, leading to data theft, system compromise, or other harmful outcomes.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of this vulnerability allows an attacker to control DNS resolution for all devices connected to the affected Tenda W308R v2 router. This can lead to widespread redirection to phishing sites designed to steal credentials, or to sites hosting malware that infects user devices. Given the widespread use of Tenda routers, this vulnerability could impact a large number of home and small business networks. A successful attack allows the attacker to perform man-in-the-middle attacks, eavesdrop on network traffic, and compromise connected devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tenda Router DNS Hijack Attempt\u003c/code\u003e to identify attempts to exploit this vulnerability by monitoring for suspicious requests to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint (log source: webserver).\u003c/li\u003e\n\u003cli\u003eMonitor web server logs for requests containing a crafted admin language cookie to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint, indicating potential exploitation attempts (log source: webserver).\u003c/li\u003e\n\u003cli\u003eApply available patches or firmware updates from Tenda to address the cookie session weakness and prevent unauthorized DNS modifications.\u003c/li\u003e\n\u003cli\u003eConsider replacing the affected device if a patch is unavailable, especially in high-risk environments.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:27Z","date_published":"2026-04-29T20:16:27Z","id":"/briefs/2026-04-tenda-dns-hijack/","summary":"Tenda W308R v2 V5.07.48 is vulnerable to cookie session weakness, allowing unauthenticated attackers to modify DNS settings via crafted GET requests to redirect user traffic to malicious sites.","title":"Tenda W308R DNS Hijacking Vulnerability (CVE-2018-25316)","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijack/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25317"}],"_cs_exploited":false,"_cs_products":["W3002R/A302/W309R wireless routers"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25317","dns-hijacking","router-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eTenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en are susceptible to a cookie session weakness (CVE-2018-25317). This vulnerability allows unauthenticated attackers to remotely modify DNS settings on the affected devices. The attack exploits insufficient session validation, enabling malicious actors to inject commands and redirect user traffic to attacker-controlled DNS servers. This poses a significant risk as it can lead to phishing attacks, malware distribution, and credential theft. Exploitation is straightforward, requiring only a crafted HTTP GET request, making it accessible to unsophisticated attackers. The vulnerability was reported in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable Tenda router with firmware V5.07.64_en.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a malicious \u003ccode\u003eadmin language\u003c/code\u003e cookie designed to bypass session validation.\u003c/li\u003e\n\u003cli\u003eThe attacker injects modified DNS server addresses into the GET request parameters (primary DNS and secondary DNS).\u003c/li\u003e\n\u003cli\u003eThe vulnerable router processes the malicious GET request without proper session validation.\u003c/li\u003e\n\u003cli\u003eThe router updates its DNS settings to the attacker-specified DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the compromised router now resolve domain names through the attacker\u0026rsquo;s DNS server.\u003c/li\u003e\n\u003cli\u003eThe attacker can redirect user traffic to malicious websites or intercept sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25317 allows attackers to perform DNS hijacking on vulnerable Tenda routers, potentially affecting all connected users. By controlling the DNS server, attackers can redirect users to phishing sites, distribute malware, or intercept sensitive communications. Given the ease of exploitation, a large number of routers could be compromised, leading to widespread disruption and data theft. The severity is heightened because no authentication is required to change the DNS settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tenda Router DNS Setting Modification\u003c/code\u003e to monitor web server logs for requests to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eApply network-level filtering to block connections to known malicious DNS servers based on threat intelligence feeds.\u003c/li\u003e\n\u003cli\u003eAlthough no firmware update is available, consider replacing end-of-life Tenda routers (W3002R/A302/W309R with V5.07.64_en) with more secure models.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:27Z","date_published":"2026-04-29T20:16:27Z","id":"/briefs/2026-04-tenda-dns-hijacking/","summary":"Tenda W3002R/A302/W309R routers with firmware V5.07.64_en are vulnerable to unauthenticated DNS hijacking, where attackers exploit a cookie session weakness to modify DNS settings via crafted GET requests.","title":"Tenda Router DNS Hijacking via Cookie Session Weakness","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijacking/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25318"}],"_cs_exploited":false,"_cs_products":["FH303/A300 firmware"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25318","tenda","dns-hijacking","network"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eCVE-2018-25318 affects Tenda FH303/A300 routers running firmware version V5.07.68_EN. This vulnerability stems from a session weakness related to insufficient cookie validation. An unauthenticated attacker can exploit this flaw to modify the DNS settings of the router. By sending a crafted GET request to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint, an attacker can inject a malicious admin cookie. This allows them to overwrite the configured DNS servers, potentially redirecting all network traffic from connected devices through attacker-controlled infrastructure. This can lead to phishing attacks, malware distribution, and other malicious activities. The vulnerability poses a significant risk to home and small office networks using the affected Tenda routers.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn attacker identifies a vulnerable Tenda FH303/A300 router running firmware V5.07.68_EN.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts a malicious HTTP GET request targeting the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a forged admin cookie, bypassing authentication checks due to the session weakness.\u003c/li\u003e\n\u003cli\u003eThe attacker sends the crafted GET request to the router\u0026rsquo;s management interface.\u003c/li\u003e\n\u003cli\u003eThe router, due to insufficient cookie validation, accepts the forged cookie and processes the request.\u003c/li\u003e\n\u003cli\u003eThe request modifies the DNS server settings on the router, replacing the legitimate DNS servers with attacker-controlled DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the router unknowingly use the attacker\u0026rsquo;s DNS servers for name resolution.\u003c/li\u003e\n\u003cli\u003eDNS requests are redirected to malicious IPs controlled by the attacker, potentially leading to phishing sites or malware downloads.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25318 allows an attacker to perform DNS hijacking on affected Tenda routers. This can redirect users to malicious websites designed to steal credentials, distribute malware, or conduct other harmful activities. The vulnerability poses a critical risk to users of the affected routers, as it can compromise their online security and privacy. The CVSS v3.1 base score for this vulnerability is 9.8, highlighting its severity. The number of affected users is dependent on the number of deployed vulnerable devices.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e with unusual parameters (Sigma rule: \u0026ldquo;Detect Tenda Router DNS Hijacking Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eIf possible, upgrade the router firmware to a version that patches CVE-2018-25318.\u003c/li\u003e\n\u003cli\u003eImplement network segmentation to limit the impact of compromised devices.\u003c/li\u003e\n\u003cli\u003eConsider using a reputable DNS service with built-in security features to mitigate the impact of DNS hijacking attacks.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-01-03T18:00:00Z","date_published":"2024-01-03T18:00:00Z","id":"/briefs/2024-01-tenda-dns-hijacking/","summary":"Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability (CVE-2018-25318) that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation, potentially redirecting user traffic to malicious sites.","title":"Tenda FH303/A300 DNS Hijacking Vulnerability (CVE-2018-25318)","url":"https://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/"}],"language":"en","title":"CraftedSignal Threat Feed — Dns-Hijacking","version":"https://jsonfeed.org/version/1.1"}