CVE-2025-7081
published 2025-07-06CVE-2025-7081: A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this vulnerability is the function formSetWanStatic of the…
PriorityP188high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
15.10%
96.3th percentile
A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this vulnerability is the function formSetWanStatic of the file /goform/formSetWanStatic of the component webs. The manipulation of the argument m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 is directly passed by the attacker/so we can control the m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1122 | — | — |
| belkin | f9k1122_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formSetWanStatic Multiple Parameters Command Injection Attempt (CVE-2025-7081)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/goform/formSetWanStatic"; fast_pattern; http.request_body; pcre:"/m_wan_(?:ipaddr|netmask|gateway|staticdns1|staticdns2)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/wudipjq/my_vuln; reference:cve,2025-2081; reference:cve,2025-7081; classtype:attempted-admin; sid:2063404; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_10, cve CVE_2025_7081, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2025_07_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Detect POST requests to /goform/formSetWanStatic with command injection characters (;, newline, backtick, pipe, $) in m_wan_ipaddr, m_wan_netmask, m_wan_gateway, m_wan_staticdns1, or m_wan_staticdns2 parameters — both raw and URL-encoded forms.
- →The exploit is delivered via HTTP POST to the webs component endpoint /goform/formSetWanStatic; the URI length is exactly 24 bytes, which can be used as a fast-pattern anchor.
- →The attack is remotely exploitable and targets the formSetWanStatic function in the Belkin F9K1122 firmware version 1.00.33; traffic is expected in plaintext (no TLS).
- →The manipulation of arguments m_wan_ipaddr, m_wan_netmask, m_wan_gateway, m_wan_staticdns1, and m_wan_staticdns2 are all injectable parameters; monitor all five in POST body for shell metacharacters.
- ·The Snort/Suricata rule (sid:2063404) contains a likely typo in one of its CVE references — 'reference:cve,2025-2081' should probably be 'reference:cve,2025-7081'. Verify before deploying to avoid mis-attribution.
- ·The vendor (Belkin) was contacted prior to disclosure but did not respond; no official patch is confirmed. Treat affected devices (Belkin F9K1122 1.00.33) as unpatched and prioritize network-level controls.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-jc2r-6j78-38qm: A vulnerability has been found in Belkin F9K1122 1
ghsa_unreviewed·2025-07-06
CVE-2025-7081 [MEDIUM] CWE-77 GHSA-jc2r-6j78-38qm: A vulnerability has been found in Belkin F9K1122 1
A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this vulnerability is the function formSetWanStatic of the file /goform/formSetWanStatic of the component webs. The manipulation of the argument m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 is directly passed by the attacker/so we can control the m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
VulnCheck
belkin f9k1122_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2025·CVSS 5.3
CVE-2025-7081 [MEDIUM] belkin f9k1122_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
belkin f9k1122_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this vulnerability is the function formSetWanStatic of the file /goform/formSetWanStatic of the component webs. The manipulation of the argument m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 is directly passed by the attacker/so we can control the m_wan_ipaddr/m_wan_netmask/m_wan_gateway/m_wan_staticdns1/m_wan_staticdns2 leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected: belkin f9k1122_f
Suricata
ET WEB_SPECIFIC_APPS Belkin formSetWanStatic Multiple Parameters Command Injection Attempt (CVE-2025-7081)
suricata·2025-07-10·CVSS 5.3
CVE-2025-2081 [MEDIUM] ET WEB_SPECIFIC_APPS Belkin formSetWanStatic Multiple Parameters Command Injection Attempt (CVE-2025-7081)
ET WEB_SPECIFIC_APPS Belkin formSetWanStatic Multiple Parameters Command Injection Attempt (CVE-2025-7081)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formSetWanStatic Multiple Parameters Command Injection Attempt (CVE-2025-7081)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/goform/formSetWanStatic"; fast_pattern; http.request_body; pcre:"/m_wan_(?:ipaddr|netmask|gateway|staticdns1|staticdns2)\x3d[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/"; reference:url,github.com/wudipjq/my_vuln; reference:cve,2025-2081; reference:cve,2025-7081; classtype:attempted-admin; sid:2063404; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, cre
No public exploits indexed.
No writeups or analysis indexed.
2025-07-06
Published
Exploited in the wild