Skip to content
CVSS 9.8 · CRITICAL

CVE-2018-25316

Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites.

Ver en NVD

Análisis

This vulnerability affects an old, specific model of Tenda home router. It is unlikely to impact professional developers or production server environments managed by the community.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-290

EPSS

Probabilidad de explotación (próx. 30 días): 0.0016 (0.2%)
Percentil: 36.5%
EPSS: 2026-05-06

Afecta

tenda:w308r_firmwaretenda:w308r

Descripción técnica

Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites.

Publicada: 29/4/2026, 20:16:27
Última modificación: 4/5/2026, 18:42:37

Referencias

InicioEventosBlogRecursosEquipo