CVE-2025-11295
published 2025-10-05CVE-2025-11295: A flaw has been found in Belkin F9K1015 1.00.10. This affects an unknown part of the file /goform/formPPPoESetup. This manipulation of the argument pppUserName…
PriorityP264high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.00%
58.5th percentile
A flaw has been found in Belkin F9K1015 1.00.10. This affects an unknown part of the file /goform/formPPPoESetup. This manipulation of the argument pppUserName causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1015 | — | — |
| belkin | f9k1015_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/goform/formPPPoESetup
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formPPPoESetup pppUserName Parameter Buffer Overflow Attempt (CVE-2025-7088, CVE-2025-11295)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:22; content:"/goform/formPPPoESetup"; fast_pattern; http.request_body; content:"pppUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_8/8.md; reference:cve,2025-7088; reference:cve,2025-11295; classtype:web-application-attack; sid:2067137; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_7088_CVE_2025_11295, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)bytes
pppUserName=<100+ chars>
- →Look for HTTP POST requests to the exact URI /goform/formPPPoESetup (URI length exactly 22 bytes) targeting Belkin F9K1015 devices on the internal network.
- →Flag any POST body where the pppUserName parameter value is 100 or more characters long (i.e., pppUserName= followed by ≥100 non-ampersand characters), as this indicates a buffer overflow attempt.
- →The attack is plaintext (non-TLS) and should be monitored at the network perimeter and internally; the exploit is publicly available.
- →MITRE mapping: Initial Access (TA0001) via Exploit Public-Facing Application (T1190).
- ·The Snort/Suricata rule targets $HOME_NET as the destination, meaning it is designed to detect inbound exploitation attempts against internally-facing Belkin devices. Ensure $HOME_NET is correctly scoped to include device subnets where Belkin F9K1015 routers reside.
- ·The ET rule metadata incorrectly lists affected_product as D_Link; the actual affected product is Belkin F9K1015. Verify rule metadata before deploying to avoid confusion in alert triage.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Belkin formPPPoESetup pppUserName Parameter Buffer Overflow Attempt (CVE-2025-7088, CVE-2025-11295)
suricata·2026-01-27·CVSS 7.4
CVE-2025-7088 [HIGH] ET WEB_SPECIFIC_APPS Belkin formPPPoESetup pppUserName Parameter Buffer Overflow Attempt (CVE-2025-7088, CVE-2025-11295)
ET WEB_SPECIFIC_APPS Belkin formPPPoESetup pppUserName Parameter Buffer Overflow Attempt (CVE-2025-7088, CVE-2025-11295)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formPPPoESetup pppUserName Parameter Buffer Overflow Attempt (CVE-2025-7088, CVE-2025-11295)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:22; content:"/goform/formPPPoESetup"; fast_pattern; http.request_body; content:"pppUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_8/8.md; reference:cve,2025-7088; reference:cve,2025-11295; classtype:web-application-attack; sid:2067137; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_708
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.mdhttps://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md#pochttps://vuldb.com/?ctiid.327176https://vuldb.com/?id.327176https://vuldb.com/?submit.661299https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.mdhttps://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPPoESetup.md#poc
2025-10-05
Published