cbcvebase.
CVE-2025-11299
published 2025-10-05

CVE-2025-11299: A vulnerability was identified in Belkin F9K1015 1.00.10. The affected element is an unknown function of the file /goform/formWanTcpipSetup. The manipulation…

PriorityP265high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.04%
59.6th percentile
A vulnerability was identified in Belkin F9K1015 1.00.10. The affected element is an unknown function of the file /goform/formWanTcpipSetup. The manipulation of the argument pppUserName leads to buffer overflow. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
belkinf9k1015
belkinf9k1015_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/goform/formWanTcpipSetup
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formWanTcpipSetup pppUserName Parameter Buffer Overflow Attempt (CVE-2025-7089, CVE-2025-11299)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:25; content:"/goform/formWanTcpipSetup"; fast_pattern; http.request_body; content:"pppUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_9/9.md; reference:cve,2025-7089; reference:cve,2025-11299; classtype:web-application-attack; sid:2067138; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_7089_CVE_2025_11299, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Detect HTTP POST requests to the exact URI /goform/formWanTcpipSetup (exact length 25 bytes) targeting Belkin F9K1015 devices.
  • Inspect the HTTP POST body for the pppUserName parameter (URL-encoded as pppUserName=) followed by a value of 100 or more characters not containing '&', which indicates a buffer overflow attempt.
  • The attack is plaintext HTTP (not TLS), flows from client to server (established,to_server), and is relevant for both perimeter and internal deployment points.
  • The exploit is publicly available; map to MITRE ATT&CK T1190 (Exploit Public-Facing Application) under tactic TA0001 (Initial Access).
  • ·The Snort/Suricata rule (ET sid:2067138) covers both CVE-2025-7089 and CVE-2025-11299 with a shared signature; tune or split if per-CVE fidelity is required.
  • ·The rule metadata incorrectly lists affected_product as D_Link; the actual affected device is Belkin F9K1015 v1.00.10. Verify asset inventory accordingly.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.