CVE-2018-25317 - Vulnerability Analysis
CriticalCVSS: 9.8Last Updated: April 29, 2026
Tenda W3002R/A302/W309R - Broken Access Control
Published: April 29, 2026Updated: April 29, 2026Remote Exploitable
Overview
Tenda W3002R/A302/W309R wireless routers V5.07.64_en contain a broken access control vulnerability caused by insufficient session validation in cookie handling, letting unauthenticated attackers modify DNS settings via /goform/AdvSetDns endpoint.
Severity & Score
Severity: Critical
CVSS Score: 9.8
Impact
Unauthenticated attackers can modify DNS settings, redirecting user traffic to malicious servers and enabling phishing or traffic interception.
Mitigation
Update to the latest firmware version that addresses session validation issues.
References
Related Resources
Details
- CVE ID
- CVE-2018-25317
- Severity
- Critical
- CVSS Score
- 9.8
- Type
- broken_access_control
- Status
- new
CWE
- CWE-290
CVSS Metrics
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H