{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/router-vulnerability/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2018-25317"}],"_cs_exploited":false,"_cs_products":["W3002R/A302/W309R wireless routers"],"_cs_severities":["critical"],"_cs_tags":["cve-2018-25317","dns-hijacking","router-vulnerability"],"_cs_type":"advisory","_cs_vendors":["Tenda"],"content_html":"\u003cp\u003eTenda W3002R, A302, and W309R wireless routers running firmware version V5.07.64_en are susceptible to a cookie session weakness (CVE-2018-25317). This vulnerability allows unauthenticated attackers to remotely modify DNS settings on the affected devices. The attack exploits insufficient session validation, enabling malicious actors to inject commands and redirect user traffic to attacker-controlled DNS servers. This poses a significant risk as it can lead to phishing attacks, malware distribution, and credential theft. Exploitation is straightforward, requiring only a crafted HTTP GET request, making it accessible to unsophisticated attackers. The vulnerability was reported in April 2026.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eAn unauthenticated attacker identifies a vulnerable Tenda router with firmware V5.07.64_en.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts an HTTP GET request targeting the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eThe crafted GET request includes a malicious \u003ccode\u003eadmin language\u003c/code\u003e cookie designed to bypass session validation.\u003c/li\u003e\n\u003cli\u003eThe attacker injects modified DNS server addresses into the GET request parameters (primary DNS and secondary DNS).\u003c/li\u003e\n\u003cli\u003eThe vulnerable router processes the malicious GET request without proper session validation.\u003c/li\u003e\n\u003cli\u003eThe router updates its DNS settings to the attacker-specified DNS servers.\u003c/li\u003e\n\u003cli\u003eUsers connected to the compromised router now resolve domain names through the attacker\u0026rsquo;s DNS server.\u003c/li\u003e\n\u003cli\u003eThe attacker can redirect user traffic to malicious websites or intercept sensitive information.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2018-25317 allows attackers to perform DNS hijacking on vulnerable Tenda routers, potentially affecting all connected users. By controlling the DNS server, attackers can redirect users to phishing sites, distribute malware, or intercept sensitive communications. Given the ease of exploitation, a large number of routers could be compromised, leading to widespread disruption and data theft. The severity is heightened because no authentication is required to change the DNS settings.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eDeploy the Sigma rule \u003ccode\u003eDetect Tenda Router DNS Setting Modification\u003c/code\u003e to monitor web server logs for requests to the \u003ccode\u003e/goform/AdvSetDns\u003c/code\u003e endpoint.\u003c/li\u003e\n\u003cli\u003eApply network-level filtering to block connections to known malicious DNS servers based on threat intelligence feeds.\u003c/li\u003e\n\u003cli\u003eAlthough no firmware update is available, consider replacing end-of-life Tenda routers (W3002R/A302/W309R with V5.07.64_en) with more secure models.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-29T20:16:27Z","date_published":"2026-04-29T20:16:27Z","id":"/briefs/2026-04-tenda-dns-hijacking/","summary":"Tenda W3002R/A302/W309R routers with firmware V5.07.64_en are vulnerable to unauthenticated DNS hijacking, where attackers exploit a cookie session weakness to modify DNS settings via crafted GET requests.","title":"Tenda Router DNS Hijacking via Cookie Session Weakness","url":"https://feed.craftedsignal.io/briefs/2026-04-tenda-dns-hijacking/"},{"_cs_actors":[],"_cs_cves":[{"cvss":9.8,"id":"CVE-2026-7244"}],"_cs_exploited":false,"_cs_products":["A8000RU"],"_cs_severities":["critical"],"_cs_tags":["command injection","router vulnerability","cve-2026-7244"],"_cs_type":"advisory","_cs_vendors":["Totolink"],"content_html":"\u003cp\u003eA critical security vulnerability, identified as CVE-2026-7244, has been discovered in Totolink A8000RU router firmware version 7.1cu.643_b20200521. This flaw resides within the CGI handler, specifically in the \u003ccode\u003esetWiFiEasyGuestCfg\u003c/code\u003e function located in the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e file. By manipulating the \u003ccode\u003emerge\u003c/code\u003e argument, a remote attacker can inject and execute arbitrary operating system commands on the affected device. The vulnerability is remotely exploitable and a proof-of-concept exploit has been publicly released, increasing the risk of widespread exploitation. This poses a significant threat as it allows for complete control over the device, potentially leading to data breaches, network compromise, and botnet recruitment.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eThe attacker sends a malicious HTTP request to the \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e endpoint on the Totolink A8000RU router.\u003c/li\u003e\n\u003cli\u003eThe request targets the \u003ccode\u003esetWiFiEasyGuestCfg\u003c/code\u003e function.\u003c/li\u003e\n\u003cli\u003eThe attacker crafts the request to include a payload in the \u003ccode\u003emerge\u003c/code\u003e argument designed to inject an OS command.\u003c/li\u003e\n\u003cli\u003eThe \u003ccode\u003ecstecgi.cgi\u003c/code\u003e script processes the request and passes the \u003ccode\u003emerge\u003c/code\u003e argument to a system call without proper sanitization.\u003c/li\u003e\n\u003cli\u003eThe injected OS command is executed with the privileges of the web server.\u003c/li\u003e\n\u003cli\u003eThe attacker gains arbitrary code execution on the router\u0026rsquo;s operating system.\u003c/li\u003e\n\u003cli\u003eThe attacker can then install malware, change router settings, or use the router as a pivot point to attack other devices on the network.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation of CVE-2026-7244 grants an attacker complete control over the vulnerable Totolink A8000RU router. This can lead to a variety of malicious activities, including data exfiltration, denial-of-service attacks, and the installation of persistent backdoors. Given the availability of a public exploit, a large number of devices could be compromised quickly. This could result in widespread botnet infections, impacting home users and small businesses relying on these routers for network connectivity.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eMonitor web server logs for requests to \u003ccode\u003e/cgi-bin/cstecgi.cgi\u003c/code\u003e with suspicious parameters in the query string, especially related to the \u003ccode\u003emerge\u003c/code\u003e argument to detect exploitation attempts (see rule: \u0026ldquo;Detect Totolink A8000RU Command Injection Attempt\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eImplement network intrusion detection system (NIDS) rules to identify malicious payloads being sent to the affected endpoint (see rule: \u0026ldquo;Detect Totolink A8000RU Command Injection - Network\u0026rdquo;).\u003c/li\u003e\n\u003cli\u003eApply the Sigma rule \u0026ldquo;Detect Totolink A8000RU Command Injection in Logs\u0026rdquo; to your SIEM to identify successful command injection attempts based on web server logs.\u003c/li\u003e\n\u003cli\u003eMonitor for unusual process execution originating from the web server process, indicating potential exploitation.\u003c/li\u003e\n\u003cli\u003eUnfortunately, a patch is not available so consider migrating to a more secure router.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-04-28T09:16:17Z","date_published":"2026-04-28T09:16:17Z","id":"/briefs/2026-04-totolink-command-injection/","summary":"A critical OS command injection vulnerability (CVE-2026-7244) exists in the setWiFiEasyGuestCfg function of the /cgi-bin/cstecgi.cgi file in Totolink A8000RU version 7.1cu.643_b20200521, allowing remote attackers to execute arbitrary commands.","title":"Totolink A8000RU Command Injection Vulnerability (CVE-2026-7244)","url":"https://feed.craftedsignal.io/briefs/2026-04-totolink-command-injection/"}],"language":"en","title":"CraftedSignal Threat Feed — Router Vulnerability","version":"https://jsonfeed.org/version/1.1"}