CVE-2025-7082
published 2025-07-06CVE-2025-7082: A vulnerability was found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this issue is the function formBSSetSitesurvey of the file…
PriorityP278high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
13.47%
96.0th percentile
A vulnerability was found in Belkin F9K1122 1.00.33 and classified as critical. Affected by this issue is the function formBSSetSitesurvey of the file /goform/formBSSetSitesurvey of the component webs. The manipulation of the argument wan_ipaddr/wan_netmask/wan_gateway/wl_ssid is directly passed by the attacker/so we can control the wan_ipaddr/wan_netmask/wan_gateway/wl_ssid leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1122 | — | — |
| belkin | f9k1122_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_2/2.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formBSSetSitesurvey Multiple Parameters Command Injection Attempt (CVE-2025-7082)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/formBSSetSitesurvey"; fast_pattern; http.request_body; content:"wan_ipaddr|3d|"; pcre:"/(?:wan_(?:ipaddr|netmask|gateway)|wl_ssid\x3d)[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_2/2.md; reference:cve,2025-7082; classtype:attempted-admin; sid:2067093; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_26, cve CVE_2025_7082, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
- →Exploit targets HTTP POST requests to the exact URI /goform/formBSSetSitesurvey (length 27 bytes) on Belkin F9K1122 devices; match on POST method and URI simultaneously.
- →Request body must contain 'wan_ipaddr=' (URL-encoded as wan_ipaddr|3d|) as a fast anchor for the injection parameters wan_ipaddr, wan_netmask, wan_gateway, or wl_ssid.
- →Command injection payload is identified by shell metacharacters (;, newline, backtick, pipe, $) appearing in the value of any of the four injectable parameters, either raw or percent-encoded.
- →Attack is plaintext only (no TLS); deploy detection at the network perimeter and internally on traffic destined to the device's IP.
- →The manipulation of the argument wan_ipaddr/wan_netmask/wan_gateway/wl_ssid is directly passed by the attacker and leads to OS command injection via the formBSSetSitesurvey function. ↗
- ·Affected device is Belkin F9K1122 firmware version 1.00.33 only; scope detection to that specific model/version to reduce false positives. ↗
- ·The vendor did not respond to disclosure; no official patch is available, making detection and network-level blocking the primary mitigation. ↗
- ·The exploit is publicly disclosed; treat any matching traffic as high-confidence attempted admin-level compromise (MITRE T1190). ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Belkin formBSSetSitesurvey Multiple Parameters Command Injection Attempt (CVE-2025-7082)
suricata·2026-01-26·CVSS 5.3
CVE-2025-7082 [MEDIUM] ET WEB_SPECIFIC_APPS Belkin formBSSetSitesurvey Multiple Parameters Command Injection Attempt (CVE-2025-7082)
ET WEB_SPECIFIC_APPS Belkin formBSSetSitesurvey Multiple Parameters Command Injection Attempt (CVE-2025-7082)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formBSSetSitesurvey Multiple Parameters Command Injection Attempt (CVE-2025-7082)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:27; content:"/goform/formBSSetSitesurvey"; fast_pattern; http.request_body; content:"wan_ipaddr|3d|"; pcre:"/(?:wan_(?:ipaddr|netmask|gateway)|wl_ssid\x3d)[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_2/2.md; reference:cve,2025-7082; classtype:attempted-admin; sid:2067093; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipme
No public exploits indexed.
No writeups or analysis indexed.
2025-07-06
Published