cbcvebase.
CVE-2025-7087
published 2025-07-06

CVE-2025-7087: A vulnerability classified as critical was found in Belkin F9K1122 1.00.33. Affected by this vulnerability is the function formL2TPSetup of the file…

PriorityP272high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
8.51%
94.4th percentile
A vulnerability classified as critical was found in Belkin F9K1122 1.00.33. Affected by this vulnerability is the function formL2TPSetup of the file /goform/formL2TPSetup of the component webs. The manipulation of the argument L2TPUserName leads to stack-based buffer overflow. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
belkinf9k1122
belkinf9k1122_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/formL2TPSetup
commandL2TPUserName=
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formL2TPSetup L2TPUserName Parameter Buffer Overflow Attempt (CVE-2025-7087, CVE-2025-11294)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:21; content:"/goform/formL2TPSetup"; fast_pattern; http.request_body; content:"L2TPUserName|3d|"; pcre:"/^[^&]{100,}(?:&|$)/R"; reference:url,github.com/wudipjq/my_vuln/blob/main/Belkin/vuln_7/7.md; reference:cve,2025-7087; reference:cve,2025-11294; classtype:web-application-attack; sid:2067136; rev:1; metadata:affected_product D_Link, attack_target Networking_Equipment, tls_state plaintext, created_at 2026_01_27, cve CVE_2025_7087_CVE_2025_11294, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, tag Description_Generated_By_Proofpoint_Nexus, updated_at 2026_01_27, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit is delivered via HTTP POST to the exact URI /goform/formL2TPSetup with a URI length of exactly 21 bytes; match on both method and URI.
  • The overflow is triggered in the request body via the L2TPUserName parameter (URL-encoded '=' is 0x3d); a value of 100 or more characters (not containing '&') indicates an exploitation attempt.
  • Traffic is expected in plaintext (not TLS); deploy detection at the network perimeter and internally.
  • Public exploit PoC is available; reference the GitHub disclosure for additional payload context.
  • The attack is remotely exploitable with no authentication implied; treat any external POST to this endpoint as high-severity.
  • ·The Snort/Suricata rule metadata incorrectly lists 'affected_product D_Link'; the actual affected device is the Belkin F9K1122 v1.00.33.
  • ·The rule also covers CVE-2025-11294 in addition to CVE-2025-7087; detections firing on this rule may relate to either CVE.
  • ·Vendor did not respond to disclosure; no official patch is confirmed available.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.