cbcvebase.
CVE-2025-7090
published 2025-07-06

CVE-2025-7090: A vulnerability, which was classified as critical, has been found in Belkin F9K1122 1.00.33. Affected by this issue is the function formConnectionSetting of…

PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.09%
89.5th percentile
A vulnerability, which was classified as critical, has been found in Belkin F9K1122 1.00.33. Affected by this issue is the function formConnectionSetting of the file /goform/formConnectionSetting of the component webs. The manipulation of the argument max_Conn/timeOut leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

2 ranges
VendorProductVersion rangeFixed in
belkinf9k1122
belkinf9k1122_firmware

Detection & IOCsextracted from sources · hover to see the quote

url/goform/formConnectionSetting
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formConnectionSetting Multiple Parameters Buffer Overflow Attempt (CVE-2025-7090)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:29; content:"/goform/formConnectionSetting"; fast_pattern; http.request_body; pcre:"/(?:max_Conn|timeOut)\x3d[^&]{100,}(?:&|$)/"; reference:url,github.com/wudipjq/my_vuln; reference:cve,2025-7090; classtype:web-application-attack; sid:2063405; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_10, cve CVE_2025_7090, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)
  • Exploit targets HTTP POST requests to the exact URI /goform/formConnectionSetting (URI byte size is exactly 29). Look for oversized values (100+ characters) in the `max_Conn` or `timeOut` POST body parameters as the overflow trigger.
  • The vulnerability is in the `formConnectionSetting` function of the `webs` component on Belkin F9K1122 firmware 1.00.33. The attack is remotely exploitable with no authentication implied, making perimeter and internal network monitoring both relevant.
  • Traffic is expected in plaintext (TLS state: plaintext), so SSL/TLS inspection is not required to detect this exploit. Deploy detection at the network perimeter and internally.
  • ·The Snort/Suricata rule (sid:2063405) uses `bsize:29` to match the exact URI length of `/goform/formConnectionSetting`. Ensure your IDS/IPS engine supports the `bsize` keyword (Suricata 4.x+ / Snort 3.x) to avoid false negatives.
  • ·The PCRE pattern triggers on POST body parameters `max_Conn` or `timeOut` with values of 100 or more characters. Tune the threshold (currently 100) based on observed legitimate traffic to reduce false positives.
  • ·The vendor (Belkin) was contacted prior to disclosure but did not respond. No patch is confirmed available; detection and network-level blocking are the primary mitigations.

CVSS provenance

nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.