Login Sign Up

CVE-2025-11299

8.8 HIGH
Remote Code Execution Buffer Overflow

📋 TL;DR

A buffer overflow vulnerability in Belkin F9K1015 routers allows remote attackers to execute arbitrary code by manipulating the pppUserName parameter. This affects Belkin F9K1015 routers running firmware version 1.00.10. Attackers can exploit this without authentication to potentially take control of affected devices.

💻 Affected Systems

Products:
  • Belkin F9K1015
Versions: 1.00.10
Operating Systems: Embedded router firmware
Default Config Vulnerable: ⚠️ Yes
Notes: Affects the web management interface accessible via LAN/WAN. No special configuration required.

📦 What is this software?

F9k1015 Firmware by Belkin

View all CVEs affecting F9k1015 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete device compromise, network infiltration, and persistent backdoor installation.

🟠

Likely Case

Router compromise allowing traffic interception, DNS manipulation, and lateral movement into connected networks.

🟢

If Mitigated

Denial of service or limited impact if network segmentation and proper firewall rules are in place.

🌐 Internet-Facing: HIGH - The vulnerability is remotely exploitable and affects internet-facing router interfaces.
🏢 Internal Only: MEDIUM - Could be exploited from internal networks if attackers gain initial access.

🎯 Exploit Status

Public PoC: ⚠️ Yes
Weaponized: LIKELY
Unauthenticated Exploit: ⚠️ Yes
Complexity: LOW

Proof-of-concept exploit code is publicly available on GitHub. No authentication required for exploitation.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Unknown

Vendor Advisory: None available

Restart Required: Yes

Instructions:

No official patch available. Vendor has not responded to disclosure. Consider replacing affected devices.

🔧 Temporary Workarounds

Disable WAN Management

all

Disable remote management/administration from WAN interface

Network Segmentation

all

Isolate router management interface to trusted network segments only

🧯 If You Can't Patch

  • Replace affected Belkin F9K1015 routers with supported/patched alternatives
  • Implement strict firewall rules blocking all external access to router management interfaces

🔍 How to Verify

Check if Vulnerable:

Check router firmware version via web interface at http://[router-ip]/ or using command: telnet [router-ip] 80 and examine response headers

Check Version:

curl -I http://[router-ip]/ | grep Server

Verify Fix Applied:

No fix available to verify. Monitor for vendor firmware updates.

📡 Detection & Monitoring

Log Indicators:

  • Unusual POST requests to /goform/formWanTcpipSetup with long pppUserName parameters
  • Multiple failed buffer overflow attempts

Network Indicators:

  • Unusual traffic patterns from router after exploitation
  • Outbound connections from router to unknown IPs

SIEM Query:

source="router_logs" AND uri="/goform/formWanTcpipSetup" AND parameter="pppUserName" AND length(value)>100

📊 Metadata

CVE ID: CVE-2025-11299
CVSS v3 Score: 8.8 (HIGH)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-119
EPSS Score: 0.14% exploit probability (33.8th percentile)
Published: October 5, 2025
Last Updated: October 7, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11299, you might also want to check these:

CVE-2024-23613 10.0

A critical buffer overflow vulnerability in Symantec Deployment Solution 7.9 allows remote, unauthen...

Same vulnerability type (CWE-119)
CVE-2024-23615 10.0

A critical buffer overflow vulnerability in Symantec Messaging Gateway allows remote unauthenticated...

Same vulnerability type (CWE-119)
CVE-2026-2776 10.0

This CVE describes a sandbox escape vulnerability in Firefox's Telemetry component due to incorrect ...

Same vulnerability type (CWE-119)