CVE-2025-7083
published 2025-07-06CVE-2025-7083: A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component…
PriorityP189high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
ITWVulnCheck KEV
Exploited in the wild
EPSS
38.14%
98.4th percentile
A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component webs. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1122 | — | — |
| belkin | f9k1122_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin mp command Parameter Command Injection Attempt (CVE-2025-7083)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/goform/mp"; fast_pattern; http.request_body; content:"command|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_3/3.md; reference:cve,2025-7083; classtype:attempted-admin; sid:2067094; rev:1;)
bytes
command=
- →Exploit is delivered via HTTP POST to the exact URI /goform/mp (URI length is exactly 10 bytes). Match on POST method + URI bsize:10 to reduce false positives.
- →The injected payload is carried in the POST body in the 'command' parameter. Look for the string 'command=' (hex: command|3d|) in the request body followed by shell metacharacters: semicolon (;/%3B), newline (\n/%0A), backtick (`/%60), pipe (|/%7C), or dollar sign ($/%24).
- →Attack targets Belkin F9K1122 firmware version 1.00.33 on the webs component. Scope detection to networking equipment on the internal/perimeter network.
- →The exploit is publicly disclosed. The Snort/Suricata rule ET SID 2067094 (rev:1) can be deployed directly for detection with low performance impact and high confidence.
- →Traffic is expected in plaintext (not TLS). Focus inspection on unencrypted HTTP traffic to internal/perimeter Belkin devices.
- ·The vendor (Belkin) was contacted prior to disclosure but did not respond. No patch is confirmed available; detection/blocking is the primary mitigation. ↗
- ·The Snort/Suricata rule uses a PCRE that anchors to the start of the 'command=' value and checks for shell metacharacters before the first '&' (parameter separator). Ensure your IDS/IPS engine supports the /R (relative) PCRE modifier for correct matching.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.02.1LOWCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.06.5MEDIUMAV:N/AC:L/Au:S/C:P/I:P/A:P
vulncheck5.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-mhxg-258g-6mjw: A vulnerability was found in Belkin F9K1122 1
ghsa_unreviewed·2025-07-06
CVE-2025-7083 [MEDIUM] CWE-77 GHSA-mhxg-258g-6mjw: A vulnerability was found in Belkin F9K1122 1
A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component webs. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
VulnCheck
belkin f9k1122_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
vulncheck·2025·CVSS 5.3
CVE-2025-7083 [MEDIUM] belkin f9k1122_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
belkin f9k1122_firmware Improper Neutralization of Special Elements used in a Command ('Command Injection')
A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. This affects the function mp of the file /goform/mp of the component webs. The manipulation of the argument command leads to os command injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected: belkin f9k1122_firmware
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://api.vulncheck.com/v3/index/vulnche
Suricata
ET WEB_SPECIFIC_APPS Belkin mp command Parameter Command Injection Attempt (CVE-2025-7083)
suricata·2026-01-26·CVSS 5.3
CVE-2025-7083 [MEDIUM] ET WEB_SPECIFIC_APPS Belkin mp command Parameter Command Injection Attempt (CVE-2025-7083)
ET WEB_SPECIFIC_APPS Belkin mp command Parameter Command Injection Attempt (CVE-2025-7083)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin mp command Parameter Command Injection Attempt (CVE-2025-7083)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:10; content:"/goform/mp"; fast_pattern; http.request_body; content:"command|3d|"; pcre:"/^[^\x26]*?(?:(?:\x3b|%3[Bb])|(?:\x0a|%0[Aa])|(?:\x60|%60)|(?:\x7c|%7[Cc])|(?:\x24|%24))+/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_3/3.md; reference:cve,2025-7083; classtype:attempted-admin; sid:2067094; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_26, cve CVE_2025_7083, deployment Perimeter, deployment Int
No public exploits indexed.
No writeups or analysis indexed.
2025-07-06
Published
Exploited in the wild