https://feed.craftedsignal.io/tags/dns-hijacking/Trending threats, MITRE ATT&CK coverage, and detection metadata — refreshed continuously.Hugoenhello@craftedsignal.iohello@craftedsignal.ioWed, 29 Apr 2026 20:16:27 +0000https://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijack/Wed, 29 Apr 2026 20:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijack/Tenda W308R v2 V5.07.48 is vulnerable to cookie session weakness, allowing unauthenticated attackers to modify DNS settings via crafted GET requests to redirect user traffic to malicious sites.Tenda W308R v2 running firmware V5.07.48 is susceptible to a cookie session weakness (CVE-2018-25316) that enables unauthenticated attackers to perform DNS hijacking. This vulnerability stems from insufficient session validation. An attacker can exploit this weakness by sending specially crafted GET requests to the goform/AdvSetDns endpoint. The malicious request includes a crafted admin language cookie, which bypasses authentication checks and allows modification of the device’s DNS server settings. Successful exploitation allows the attacker to redirect the router’s DNS queries to a malicious server under their control. This poses a significant risk to end-users, as it can lead to phishing attacks, malware distribution, and other malicious activities.

Attack Chain

1. The attacker identifies a vulnerable Tenda W308R v2 router running firmware V5.07.48 exposed to the internet.
2. The attacker crafts a malicious HTTP GET request targeting the goform/AdvSetDns endpoint.
3. The GET request includes a crafted “admin language cookie” designed to bypass authentication.
4. The router receives the malicious GET request and, due to insufficient session validation, incorrectly authenticates the attacker.
5. The router processes the malicious request, modifying the DNS server settings to attacker-controlled DNS servers.
6. Users connected to the compromised router now resolve domain names through the attacker’s DNS server.
7. The attacker’s DNS server redirects users to malicious websites, potentially serving malware or phishing pages.
8. Users unknowingly interact with the malicious content, leading to data theft, system compromise, or other harmful outcomes.

Impact

Successful exploitation of this vulnerability allows an attacker to control DNS resolution for all devices connected to the affected Tenda W308R v2 router. This can lead to widespread redirection to phishing sites designed to steal credentials, or to sites hosting malware that infects user devices. Given the widespread use of Tenda routers, this vulnerability could impact a large number of home and small business networks. A successful attack allows the attacker to perform man-in-the-middle attacks, eavesdrop on network traffic, and compromise connected devices.

Recommendation

• Deploy the Sigma rule Detect Tenda Router DNS Hijack Attempt to identify attempts to exploit this vulnerability by monitoring for suspicious requests to the /goform/AdvSetDns endpoint (log source: webserver).
• Monitor web server logs for requests containing a crafted admin language cookie to the /goform/AdvSetDns endpoint, indicating potential exploitation attempts (log source: webserver).
• Apply available patches or firmware updates from Tenda to address the cookie session weakness and prevent unauthorized DNS modifications.
• Consider replacing the affected device if a patch is unavailable, especially in high-risk environments.

]]>criticaladvisorycve-2018-25316dns-hijackingtendacookie-injectionhttps://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijacking/Wed, 29 Apr 2026 20:16:27 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijacking/Tenda W3002R/A302/W309R routers with firmware V5.07.64_en are vulnerable to unauthenticated DNS hijacking, where attackers exploit a cookie session weakness to modify DNS settings via crafted GET requests.Tenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en are susceptible to a cookie session weakness (CVE-2018-25317). This vulnerability allows unauthenticated attackers to remotely modify DNS settings on the affected devices. The attack exploits insufficient session validation, enabling malicious actors to inject commands and redirect user traffic to attacker-controlled DNS servers. This poses a significant risk as it can lead to phishing attacks, malware distribution, and credential theft. Exploitation is straightforward, requiring only a crafted HTTP GET request, making it accessible to unsophisticated attackers. The vulnerability was reported in April 2026.

Attack Chain

1. An unauthenticated attacker identifies a vulnerable Tenda router with firmware V5.07.64_en.
2. The attacker crafts an HTTP GET request targeting the /goform/AdvSetDns endpoint.
3. The crafted GET request includes a malicious admin language cookie designed to bypass session validation.
4. The attacker injects modified DNS server addresses into the GET request parameters (primary DNS and secondary DNS).
5. The vulnerable router processes the malicious GET request without proper session validation.
6. The router updates its DNS settings to the attacker-specified DNS servers.
7. Users connected to the compromised router now resolve domain names through the attacker’s DNS server.
8. The attacker can redirect user traffic to malicious websites or intercept sensitive information.

Impact

Successful exploitation of CVE-2018-25317 allows attackers to perform DNS hijacking on vulnerable Tenda routers, potentially affecting all connected users. By controlling the DNS server, attackers can redirect users to phishing sites, distribute malware, or intercept sensitive communications. Given the ease of exploitation, a large number of routers could be compromised, leading to widespread disruption and data theft. The severity is heightened because no authentication is required to change the DNS settings.

Recommendation

• Deploy the Sigma rule Detect Tenda Router DNS Setting Modification to monitor web server logs for requests to the /goform/AdvSetDns endpoint.
• Apply network-level filtering to block connections to known malicious DNS servers based on threat intelligence feeds.
• Although no firmware update is available, consider replacing end-of-life Tenda routers (W3002R/A302/W309R with V5.07.64_en) with more secure models.

]]>criticaladvisorycve-2018-25317dns-hijackingrouter-vulnerabilityhttps://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/Wed, 03 Jan 2024 18:00:00 +0000hello@craftedsignal.iohttps://feed.craftedsignal.io/briefs/2024-01-tenda-dns-hijacking/Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability (CVE-2018-25318) that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation, potentially redirecting user traffic to malicious sites.CVE-2018-25318 affects Tenda FH303/A300 routers running firmware version V5.07.68_EN. This vulnerability stems from a session weakness related to insufficient cookie validation. An unauthenticated attacker can exploit this flaw to modify the DNS settings of the router. By sending a crafted GET request to the /goform/AdvSetDns endpoint, an attacker can inject a malicious admin cookie. This allows them to overwrite the configured DNS servers, potentially redirecting all network traffic from connected devices through attacker-controlled infrastructure. This can lead to phishing attacks, malware distribution, and other malicious activities. The vulnerability poses a significant risk to home and small office networks using the affected Tenda routers.

Attack Chain

1. An attacker identifies a vulnerable Tenda FH303/A300 router running firmware V5.07.68_EN.
2. The attacker crafts a malicious HTTP GET request targeting the /goform/AdvSetDns endpoint.
3. The crafted GET request includes a forged admin cookie, bypassing authentication checks due to the session weakness.
4. The attacker sends the crafted GET request to the router’s management interface.
5. The router, due to insufficient cookie validation, accepts the forged cookie and processes the request.
6. The request modifies the DNS server settings on the router, replacing the legitimate DNS servers with attacker-controlled DNS servers.
7. Users connected to the router unknowingly use the attacker’s DNS servers for name resolution.
8. DNS requests are redirected to malicious IPs controlled by the attacker, potentially leading to phishing sites or malware downloads.

Impact

Successful exploitation of CVE-2018-25318 allows an attacker to perform DNS hijacking on affected Tenda routers. This can redirect users to malicious websites designed to steal credentials, distribute malware, or conduct other harmful activities. The vulnerability poses a critical risk to users of the affected routers, as it can compromise their online security and privacy. The CVSS v3.1 base score for this vulnerability is 9.8, highlighting its severity. The number of affected users is dependent on the number of deployed vulnerable devices.

Recommendation

• Monitor web server logs for requests to /goform/AdvSetDns with unusual parameters (Sigma rule: “Detect Tenda Router DNS Hijacking Attempt”).
• If possible, upgrade the router firmware to a version that patches CVE-2018-25318.
• Implement network segmentation to limit the impact of compromised devices.
• Consider using a reputable DNS service with built-in security features to mitigate the impact of DNS hijacking attacks.

]]>criticaladvisorycve-2018-25318tendadns-hijackingnetwork