CVE-2018-25317

CRITICAL 9.8

Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change

CVSS Score

9.8

EPSS Score

0.0%

EPSS Percentile

0th

Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers.

CWE	CWE-290
Vendor	tenda
Product	w3002r
Published	Apr 29, 2026
Last Updated	Apr 29, 2026

Stay Ahead of the Next One

Get instant alerts for tenda w3002r

Be the first to know when new critical vulnerabilities affecting tenda w3002r are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

CVSS v3 Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Affected Versions

Tenda / W3002R

5.07.64

References

NVD ↗ CVE.org ↗ EPSS Data ↗

exploit-db.com: https://www.exploit-db.com/exploits/44380 vulncheck.com: https://www.vulncheck.com/advisories/tenda-w3002r-a302-w309r-64-en-cookie-session-weakness-dns-change