Login Sign Up

CVE-2025-11295

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

This vulnerability allows remote attackers to execute arbitrary code on Belkin F9K1015 routers via a buffer overflow in the PPPoE setup interface. Attackers can exploit this by sending specially crafted requests to the /goform/formPPPoESetup endpoint. All users of affected Belkin router models are at risk.

💻 Affected Systems

Products:
  • Belkin F9K1015
Versions: 1.00.10
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface which is typically enabled by default.

📦 What is this software?

F9k1015 Firmware by Belkin

View all CVEs affecting F9k1015 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to router takeover, credential theft, network traffic interception, and lateral movement to connected devices.

🟠

Likely Case

Router compromise allowing attackers to modify network settings, intercept traffic, or use the device as a foothold for further attacks.

🟢

If Mitigated

Limited impact if device is behind firewall with restricted WAN access, though internal threats remain possible.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept exploit code is publicly available on GitHub, making exploitation straightforward for attackers.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: No

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider replacing affected devices or implementing workarounds.

🔧 Temporary Workarounds

Disable PPPoE Interface

all

Disable the vulnerable PPPoE setup interface if not required for network operation.

Restrict Web Interface Access

all

Configure firewall rules to restrict access to the router's web management interface (typically port 80/443).

🧯 If You Can't Patch

  • Isolate affected routers in separate network segments with strict firewall rules
  • Replace vulnerable Belkin routers with supported, patched alternatives

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at http://[router-ip]/ or using command: telnet [router-ip] (if enabled) and checking version info.

Check Version:

curl -s http://[router-ip]/ | grep -i version or check web interface System Status page

Verify Fix Applied:

Verify firmware version is no longer 1.00.10. Since no patch exists, verification requires confirming workarounds are implemented.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/formPPPoESetup with long pppUserName parameters
  • Router reboot or configuration changes without authorization

Network Indicators:

  • Unusual outbound connections from router IP
  • Traffic to/from router on non-standard ports

SIEM Query:

source_ip="router_ip" AND (url_path="/goform/formPPPoESetup" OR (http_method="POST" AND user_agent_contains="curl" OR "python"))

📊 Metadata

CVE ID: CVE-2025-11295
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.14% exploit probability (33.8th percentile)
Published: October 5, 2025
Last Updated: October 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11295, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)