CVE-2025-7091
published 2025-07-06CVE-2025-7091: A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. Affected is the function formWlanMP of the file /goform/formWlanMP of…
PriorityP271high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.64%
90.6th percentile
A vulnerability was found in Belkin F9K1122 1.00.33. It has been classified as critical. Affected is the function formWlanMP of the file /goform/formWlanMP of the component webs. The manipulation of the argument ateFunc/ateGain/ateTxCount/ateChan/ateRate/ateMacID/e2pTxPower1/e2pTxPower2/e2pTxPower3/e2pTxPower4/e2pTxPower5/e2pTxPower6/e2pTxPower7/e2pTx2Power1/e2pTx2Power2/e2pTx2Power3/e2pTx2Power4/e2pTx2Power5/e2pTx2Power6/e2pTx2Power7/ateTxFreqOffset/ateMode/ateBW/ateAntenna/e2pTxFreqOffset/e2pTxPwDeltaB/e2pTxPwDeltaG/e2pTxPwDeltaMix/e2pTxPwDeltaN/readE2P leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1122 | — | — |
| belkin | f9k1122_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formWlanMP Multiple Parameters Buffer Overflow Attempt (CVE-2025-7091)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/goform/formWlanMP"; fast_pattern; http.request_body; pcre:"/(?:ate(?:Func|Gain|TxCount|Chan|Rate|MacID|TxFreqOffset|Mode|BW|Antenna)|e2pTx(?:[2]?Power\d|PwDelta(?:B|G|N|Mix))|readE2P)\x3d[^&]{100,}(?:&|$)/"; reference:url,github.com/wudipjq/my_vuln; reference:cve,2025-7091; classtype:web-application-attack; sid:2063406; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_10, cve CVE_2025_7091, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Attack is delivered via HTTP POST to the exact URI /goform/formWlanMP (URI length is exactly 18 bytes). Match on POST method and this URI path. ↗
- →Exploit triggers a stack-based buffer overflow by supplying an oversized value (≥100 characters) to any of the vulnerable POST body parameters: ateFunc, ateGain, ateTxCount, ateChan, ateRate, ateMacID, ateTxFreqOffset, ateMode, ateBW, ateAntenna, e2pTxPower1-7, e2pTx2Power1-7, e2pTxFreqOffset, e2pTxPwDeltaB/G/Mix/N, readE2P. ↗
- →Attack is remote and targets plaintext HTTP traffic (not TLS). Deploy detection at network perimeter and internally. ↗
- →The exploit PoC has been publicly disclosed on GitHub. Monitor for exploitation attempts originating from or referencing this repository. ↗
- ·The Snort/Suricata rule (ET sid:2063406) uses a PCRE match on the POST body for parameter values ≥100 characters. Tune the threshold if legitimate large payloads to this endpoint are observed in your environment. ↗
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Belkin formWlanMP Multiple Parameters Buffer Overflow Attempt (CVE-2025-7091)
suricata·2025-07-10·CVSS 7.4
CVE-2025-7091 [HIGH] ET WEB_SPECIFIC_APPS Belkin formWlanMP Multiple Parameters Buffer Overflow Attempt (CVE-2025-7091)
ET WEB_SPECIFIC_APPS Belkin formWlanMP Multiple Parameters Buffer Overflow Attempt (CVE-2025-7091)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formWlanMP Multiple Parameters Buffer Overflow Attempt (CVE-2025-7091)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:18; content:"/goform/formWlanMP"; fast_pattern; http.request_body; pcre:"/(?:ate(?:Func|Gain|TxCount|Chan|Rate|MacID|TxFreqOffset|Mode|BW|Antenna)|e2pTx(?:[2]?Power\d|PwDelta(?:B|G|N|Mix))|readE2P)\x3d[^&]{100,}(?:&|$)/"; reference:url,github.com/wudipjq/my_vuln; reference:cve,2025-7091; classtype:web-application-attack; sid:2063406; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_10, cve CVE_2025_7091, de
No writeups or analysis indexed.
2025-07-06
Published