CVE-2018-25318: Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change

Published Apr 29, 2026
·
Updated

Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites.

Affected Software

5 affected components
Tenda FH303/A300 firmware=V5.07.68_EN
All of the following
Tenda Fh303 Firmware=5.07.68_en
Tenda FH303
All of the following
Tenda A300 firmware=5.07.68_en
Tenda A300

Event History

Apr 29, 2026
CVE Published
via MITRE·07:24 PM
Data Sourced
via MITRE·07:24 PM
DescriptionSeverityWeakness
Data Sourced
via NVD·08:16 PM
DescriptionSeverityWeaknessAffected Software
Free Weekly Intel

Don't miss critical vulnerabilities

Join thousands of security professionals who receive our weekly digest of trending CVEs, zero-days, and exploited vulnerabilities.

No spam. Unsubscribe anytime.

Frequently Asked Questions

1

What is the severity of CVE-2018-25318?

CVE-2018-25318 has been classified as a high severity vulnerability due to its potential risk of unauthorized DNS changes.

2

How do I fix CVE-2018-25318?

Fixing CVE-2018-25318 requires upgrading the Tenda FH303/A300 firmware to a version that addresses the cookie session weakness.

3

What type of vulnerability is CVE-2018-25318?

CVE-2018-25318 is a cookie session weakness vulnerability that affects Tenda FH303/A300 firmware.

4

Who is affected by CVE-2018-25318?

Users of Tenda FH303/A300 firmware version V5.07.68_EN are affected by CVE-2018-25318.

5

What can attackers do with CVE-2018-25318?

Attackers exploiting CVE-2018-25318 can modify DNS settings without authentication.

Company

Resources

Contact

SecAlerts Pty Ltd.
132 Wickham Terrace
Fortitude Valley,
QLD 4006, Australia
info@secalerts.co
By using SecAlerts services, you agree to our services end-user license agreement. This website is safeguarded by reCAPTCHA and governed by the Google Privacy Policy and Terms of Service. All names, logos, and brands of products are owned by their respective owners, and any usage of these names, logos, and brands for identification purposes only does not imply endorsement. If you possess any content that requires removal, please get in touch with us.
© 2026 SecAlerts Pty Ltd.
ABN: 70 645 966 203, ACN: 645 966 203