Skip to content
CVSS 9.8 · CRITICAL

CVE-2018-25318

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites.

Ver en NVD

Análisis

This vulnerability affects specific, legacy Tenda home router models. While the CVSS score is high, this is vendor-specific consumer firmware that falls outside the community's focus on software development stack, DevOps, and enterprise infrastructure.

Severidad

Puntaje: 9.8(CRITICAL)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
AV: NETWORK
AC: LOW
PR: NONE
UI: NONE
S: UNCHANGED
C: HIGH
I: HIGH
A: HIGH
Tipo de falla (CWE): CWE-290

EPSS

Probabilidad de explotación (próx. 30 días): 0.0016 (0.2%)
Percentil: 36.5%
EPSS: 2026-05-06

Afecta

tenda:fh303_firmwaretenda:fh303tenda:a300_firmwaretenda:a300

Descripción técnica

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites.

Publicada: 29/4/2026, 20:16:27
Última modificación: 4/5/2026, 18:40:04

Referencias

InicioEventosBlogRecursosEquipo