CVE-2025-11294
published 2025-10-05CVE-2025-11294: A vulnerability was detected in Belkin F9K1015 1.00.10. Affected by this issue is some unknown functionality of the file /goform/formL2TPSetup. The…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.20%
64.4th percentile
A vulnerability was detected in Belkin F9K1015 1.00.10. Affected by this issue is some unknown functionality of the file /goform/formL2TPSetup. The manipulation of the argument L2TPUserName results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1015 | — | — |
| belkin | f9k1015_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/goform/formL2TPSetup
urlhttps://github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_7/7.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formL2TPSetup L2TPUserName Parameter Buffer Overflow Attempt (CVE-2025-7087, CVE-2025-11294)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/goform/formL2TPSetup"; fast_pattern; http.request_body; content:"L2TPUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_7/7.md; reference:cve,2025-7087; reference:cve,2025-11294; classtype:web-application-attack; sid:2067136; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_7087_CVE_2025_11294, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Attack is delivered via HTTP POST to the exact URI /goform/formL2TPSetup with a URI length of exactly 21 bytes; match on both method and URI size for precision.
- →The overflow is triggered in the L2TPUserName POST body parameter; look for the parameter name followed by '=' (URL-encoded as |3d|) with a value of 100 or more characters not containing '&'.
- →Traffic is expected in plaintext (not TLS); deploy detection at the network perimeter and internally.
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190); target is the destination IP (the Belkin device).
- ·The affected product listed in the Snort rule metadata says 'D_Link', but the CVE and rule message clearly describe a Belkin F9K1015 device — this metadata field appears to be an error in the rule.
- ·The exploit is publicly available; treat any POST to /goform/formL2TPSetup with an oversized L2TPUserName value as high-confidence malicious activity. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Belkin formL2TPSetup L2TPUserName Parameter Buffer Overflow Attempt (CVE-2025-7087, CVE-2025-11294)
suricata·2026-01-27·CVSS 7.4
CVE-2025-7087 [HIGH] ET WEB_SPECIFIC_APPS Belkin formL2TPSetup L2TPUserName Parameter Buffer Overflow Attempt (CVE-2025-7087, CVE-2025-11294)
ET WEB_SPECIFIC_APPS Belkin formL2TPSetup L2TPUserName Parameter Buffer Overflow Attempt (CVE-2025-7087, CVE-2025-11294)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formL2TPSetup L2TPUserName Parameter Buffer Overflow Attempt (CVE-2025-7087, CVE-2025-11294)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/goform/formL2TPSetup"; fast_pattern; http.request_body; content:"L2TPUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_7/7.md; reference:cve,2025-7087; reference:cve,2025-11294; classtype:web-application-attack; sid:2067136; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_708
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formL2TPSetup.mdhttps://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formL2TPSetup.md#pochttps://vuldb.com/?ctiid.327175https://vuldb.com/?id.327175https://vuldb.com/?submit.661298https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formL2TPSetup.mdhttps://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formL2TPSetup.md#poc
2025-10-05
Published