CVE-2025-7085
published 2025-07-06CVE-2025-7085: A vulnerability was found in Belkin F9K1122 1.00.33. It has been rated as critical. This issue affects the function formiNICWpsStart of the file…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
1.07%
60.8th percentile
A vulnerability was found in Belkin F9K1122 1.00.33. It has been rated as critical. This issue affects the function formiNICWpsStart of the file /goform/formiNICWpsStart of the component webs. The manipulation of the argument pinCode leads to stack-based buffer overflow. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1122 | — | — |
| belkin | f9k1122_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
urlhttps://github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_5/5.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formiNICWpsStart pinCode Parameter Buffer Overflow Attempt (CVE-2025-7085)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/goform/formiNICWpsStart"; fast_pattern; http.request_body; content:"pinCode|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_5/5.md; reference:cve,2025-7085; classtype:web-application-attack; sid:2067105; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_26, cve CVE_2025_7085, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_26, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST requests to the exact URI /goform/formiNICWpsStart with a URI length of exactly 24 bytes; match on both method and URI simultaneously. ↗
- →The overflow is triggered via the pinCode POST body parameter; look for the pinCode= field (URL-encoded as pinCode|3d|) followed by 100 or more characters before an ampersand or end-of-body, indicating an oversized value.
- →Traffic is expected in plaintext (not TLS); deploy detection at the network perimeter and internally.
- →The vulnerability is a stack-based buffer overflow in the webs component function formiNICWpsStart of Belkin F9K1122 firmware version 1.00.33; the attack is remotely exploitable with no authentication implied.
- ·The Snort/Suricata rule uses a fixed URI bsize of 24 bytes, matching only the exact path /goform/formiNICWpsStart with no additional path components; adjust if the device firmware routes the endpoint differently.
- ·The PCRE threshold of 100 characters for the pinCode value is the detection heuristic for overflow; legitimate WPS PIN codes are 8 digits, so any value exceeding 100 characters is anomalous.
- ·The vendor (Belkin) did not respond to disclosure; no patch is confirmed available for firmware version 1.00.33, meaning affected devices remain persistently vulnerable.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Belkin formiNICWpsStart pinCode Parameter Buffer Overflow Attempt (CVE-2025-7085)
suricata·2026-01-26·CVSS 7.4
CVE-2025-7085 [HIGH] ET WEB_SPECIFIC_APPS Belkin formiNICWpsStart pinCode Parameter Buffer Overflow Attempt (CVE-2025-7085)
ET WEB_SPECIFIC_APPS Belkin formiNICWpsStart pinCode Parameter Buffer Overflow Attempt (CVE-2025-7085)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formiNICWpsStart pinCode Parameter Buffer Overflow Attempt (CVE-2025-7085)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/goform/formiNICWpsStart"; fast_pattern; http.request_body; content:"pinCode|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_5/5.md; reference:cve,2025-7085; classtype:web-application-attack; sid:2067105; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_26, cve CVE_2025_7085, deployment Perimeter, deployment Internal, performance_impact
No public exploits indexed.
No writeups or analysis indexed.
2025-07-06
Published