CVE-2025-7086
published 2025-07-06CVE-2025-7086: A vulnerability classified as critical has been found in Belkin F9K1122 1.00.33. Affected is the function formPPTPSetup of the file /goform/formPPTPSetup of…
PriorityP269high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
3.92%
89.0th percentile
A vulnerability classified as critical has been found in Belkin F9K1122 1.00.33. Affected is the function formPPTPSetup of the file /goform/formPPTPSetup of the component webs. The manipulation of the argument pptpUserName leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1122 | — | — |
| belkin | f9k1122_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
path/goform/formPPTPSetup
urlhttps://github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_6/6.md
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/goform/formPPTPSetup"; fast_pattern; http.request_body; content:"pptpUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_6/6.md; reference:cve,2025-7086; reference:cve,2025-11296; classtype:web-application-attack; sid:2067135; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_7086_CVE_2025_11296, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST requests to the exact URI /goform/formPPTPSetup (URI length is exactly 21 bytes); match on this path to identify exploitation attempts against the Belkin F9K1122 webs component.
- →The overflow is triggered via the pptpUserName POST body parameter (URL-encoded as pptpUserName=); look for this parameter followed by a value of 100 or more characters (not containing '&') as the overflow payload indicator.
- →The attack is plaintext HTTP (not TLS), directed inbound to the device's web management interface; deploy detection at the network perimeter and internally.
- →The vulnerability is in the formPPTPSetup function of the webs component on Belkin F9K1122 version 1.00.33; manipulation of the pptpUserName argument causes a stack-based buffer overflow exploitable remotely. ↗
- ·The Snort/Suricata rule metadata incorrectly lists affected_product as D_Link; the actual affected device is the Belkin F9K1122 router.
- ·The rule covers two CVEs simultaneously (CVE-2025-7086 and CVE-2025-11296); analysts should verify which specific CVE triggered an alert based on the targeted device model.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)
suricata·2026-01-27·CVSS 7.4
CVE-2025-7086 [HIGH] ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)
ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formPPTPSetup pptpUserName Parameter Buffer Overflow Attempt (CVE-2025-7086, CVE-2025-11296)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/goform/formPPTPSetup"; fast_pattern; http.request_body; content:"pptpUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_6/6.md; reference:cve,2025-7086; reference:cve,2025-11296; classtype:web-application-attack; sid:2067135; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_708
No public exploits indexed.
No writeups or analysis indexed.
2025-07-06
Published