CVE-2025-11296
published 2025-10-05CVE-2025-11296: A vulnerability has been found in Belkin F9K1015 1.00.10. This vulnerability affects unknown code of the file /goform/formPPTPSetup. Such manipulation of the…
PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.00%
58.5th percentile
A vulnerability has been found in Belkin F9K1015 1.00.10. This vulnerability affects unknown code of the file /goform/formPPTPSetup. Such manipulation of the argument pptpUserName leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1015 | — | — |
| belkin | f9k1015_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/goform/formPPTPSetup
urlgithub.com/wudipjq/my_vuln/blob/main/Belkin/vuln_6/6.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/goform/formPPTPSetup"; fast_pattern; http.request_body; content:"pptpUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_6/6.md; reference:cve,2025-7086; reference:cve,2025-11296; classtype:web-application-attack; sid:2067135; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_7086_CVE_2025_11296, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Detect POST requests to /goform/formPPTPSetup with a pptpUserName parameter value exceeding 100 characters (buffer overflow trigger). The URI must be exactly 21 bytes.
- →The attack is plaintext HTTP (not TLS), targeting the device's web management interface from any external source to the home/internal network.
- →Classify detections as web-application-attack / Exploit Public-Facing Application (MITRE T1190, TA0001 Initial Access) targeting networking equipment.
- ·The Snort/Suricata rule targets $HOME_NET as the destination, meaning it is designed for perimeter and internal deployment monitoring inbound requests to the vulnerable device. Ensure the Belkin F9K1015 management interface is included in $HOME_NET scope.
- ·The vendor (Belkin) did not respond to disclosure; no official patch is confirmed. The exploit is public. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)
suricata·2026-01-27·CVSS 7.4
CVE-2025-7086 [HIGH] ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)
ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/goform/formPPTPSetup"; fast_pattern; http.request_body; content:"pptpUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_6/6.md; reference:cve,2025-7086; reference:cve,2025-11296; classtype:web-application-attack; sid:2067135; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_708
No public exploits indexed.
No writeups or analysis indexed.
https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPTPSetup.mdhttps://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPTPSetup.md#pochttps://vuldb.com/?ctiid.327177https://vuldb.com/?id.327177https://vuldb.com/?submit.661300https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPTPSetup.mdhttps://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formPPTPSetup.md#poc
2025-10-05
Published