CVE-2018-25318

CRITICAL

Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change

Title source: cna
STIX 2.1

Description

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites.

Exploits (1)

exploitdb WORKING POC
by Todor Donev · textwebappsasp
https://www.exploit-db.com/exploits/44381

References (2)

Core 2
Core References
Exploit exploit
ExploitDB-44381
https://www.exploit-db.com/exploits/44381
Third Party Advisory third-party-advisory
VulnCheck Advisory: Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change
https://www.vulncheck.com/advisories/tenda-fh303-a300-68-en-cookie-session-weakness-dns-change

Scores

CVSS v3 9.8
EPSS 0.0004
EPSS Percentile 13.1%
Attack Vector NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CISA SSVC

Vulnrichment
Exploitation poc
Automatable yes
Technical Impact total

Details

CWE
CWE-290
Status published
Products (1)
Tenda/FH303/A300 5.07.68
Published Apr 29, 2026
Tracked Since Apr 30, 2026