CVE-2025-7092
published 2025-07-06CVE-2025-7092: A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. This vulnerability affects the function formWlanSetupWPS of the file…
PriorityP270high8.8CVSS 3.1
AVNACLPRLUINSUCHIHAH
EPSS
4.09%
89.5th percentile
A vulnerability has been found in Belkin F9K1122 1.00.33 and classified as critical. This vulnerability affects the function formWlanSetupWPS of the file /goform/formWlanSetupWPS of the component webs. The manipulation of the argument wps_enrolee_pin/webpage leads to stack-based buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| belkin | f9k1122 | — | — |
| belkin | f9k1122_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formWlanSetupWPS Multiple Parameters Buffer Overflow Attempt (CVE-2025-7092)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/goform/formWlanSetupWPS"; fast_pattern; http.request_body; pcre:"/(?:webpage|wps_enrolee_pin)\x3d[^&]{100,}(?:&|$)/"; reference:url,github.com/wudipjq/my_vuln; reference:cve,2025-7092; classtype:web-application-attack; sid:2063407; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_10, cve CVE_2025_7092, deployment Perimeter, deployment Internal, performance_impact Low, confidence High, signature_severity Major, tag Exploit, updated_at 2025_07_10, mitre_tactic_id TA0001, mitre_tactic_name Initial_Access, mitre_technique_id T1190, mitre_technique_name Exploit_Public_Facing_Application; target:dest_ip;)- →Exploit targets HTTP POST requests to the exact URI /goform/formWlanSetupWPS (URI length is exactly 24 bytes); match on POST method and this URI path.
- →Overflow is triggered via the 'webpage' or 'wps_enrolee_pin' POST body parameters containing 100 or more characters; detect with PCRE on the request body.
- →Traffic is plaintext HTTP (not TLS); deploy detection at the network perimeter and internally.
- →The attack is remotely initiated against the webs component of Belkin F9K1122 firmware 1.00.33; the exploit has been publicly disclosed.
- ·The Snort/Suricata rule (ET sid:2063407) uses a fixed URI bsize of 24 bytes for /goform/formWlanSetupWPS; ensure your IDS/IPS is configured to inspect HTTP request bodies (not just headers) to catch the overflow payload in POST parameters.
- ·The vendor (Belkin) did not respond to disclosure; no patch is available. Detection and network-level blocking are the primary mitigations.
CVSS provenance
nvdv3.18.8HIGHCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
nvdv4.07.4HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.09.0CRITICALAV:N/AC:L/Au:S/C:C/I:C/A:C
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Suricata
ET WEB_SPECIFIC_APPS Belkin formWlanSetupWPS Multiple Parameters Buffer Overflow Attempt (CVE-2025-7092)
suricata·2025-07-10·CVSS 7.4
CVE-2025-7092 [HIGH] ET WEB_SPECIFIC_APPS Belkin formWlanSetupWPS Multiple Parameters Buffer Overflow Attempt (CVE-2025-7092)
ET WEB_SPECIFIC_APPS Belkin formWlanSetupWPS Multiple Parameters Buffer Overflow Attempt (CVE-2025-7092)
Rule: alert http any any -> $HOME_NET any (msg:"ET WEB_SPECIFIC_APPS Belkin formWlanSetupWPS Multiple Parameters Buffer Overflow Attempt (CVE-2025-7092)"; flow:established,to_server; http.method; content:"POST"; http.uri; bsize:24; content:"/goform/formWlanSetupWPS"; fast_pattern; http.request_body; pcre:"/(?:webpage|wps_enrolee_pin)\x3d[^&]{100,}(?:&|$)/"; reference:url,github.com/wudipjq/my_vuln; reference:cve,2025-7092; classtype:web-application-attack; sid:2063407; rev:1; metadata:affected_product Belkin, attack_target Networking_Equipment, tls_state plaintext, created_at 2025_07_10, cve CVE_2025_7092, deployment Perimeter, deployment Internal, performance_impact Low, confidence Hi
No public exploits indexed.
No writeups or analysis indexed.
2025-07-06
Published