cbcvebase.
CVE-2025-7084
published 2025-07-06

CVE-2025-7084: A vulnerability was found in Belkin F9K1122 1.00.33. It has been declared as critical. This vulnerability affects the function formWpsStart of the file…

PriorityP266high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.25%
65.6th percentile
A vulnerability was found in Belkin F9K1122 1.00.33. It has been declared as critical. This vulnerability affects the function formWpsStart of the file /goform/formWpsStart of the component webs. The manipulation of the argument pinCode leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
belkinf9k1122
belkinf9k1122_firmware

Detection & IOCsextracted from sources · hover to see the quote

path/goform/formWpsStart
urlhttps://github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_4/4.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formWpsStart pinCode Parameter Buffer Overflow Attempt (CVE-2025-7084)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:20; content:"/goform/formWpsStart"; fast_pattern; http.request_body; content:"pinCode|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_4/4.md; reference:cve,2025-7084; classtype:web-application-attack; sid:2067095; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_26, cve CVE_2025_7084, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST requests to /goform/formWpsStart with a URI length of exactly 20 bytes; match on this URI with bsize:20 to reduce false positives.
  • The overflow is triggered via the pinCode parameter in the POST body; look for 'pinCode=' followed by 100 or more characters before an '&' or end-of-body (PCRE: /^[^&]{100,}(?:&|$)/R).
  • Traffic is plaintext (no TLS); deploy detection at the network perimeter and internally on HTTP traffic to networking equipment.
  • The vulnerability is a stack-based buffer overflow in the webs component's formWpsStart function, exploitable remotely without authentication.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.