cbcvebase.
CVE-2025-8730
published 2025-08-08

CVE-2025-8730: A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the…

PriorityP274critical9.8CVSS 3.1
AVNACLPRNUINSUCHIHAH
EXPLOIT
EPSS
2.99%
85.6th percentile
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Affected

4 ranges
VendorProductVersion rangeFixed in
belkinf9k1009
belkinf9k1009
belkinf9k1010
belkinf9k1010

Detection & IOCsextracted from sources · hover to see the quote

urlhttp://<router_ip>/login.cgi
path/home.htm
path/main.htm
path/index.htm
path/config.htm
path/firmware.htm
path/admin.htm
  • Monitor HTTP responses from Belkin F9K1009/F9K1010 web interfaces for authentication success indicators without valid credential submission, including response body strings such as 'login_success', 'login=1', 'auth=1', or 'access granted'.
  • Detect exploit tool fingerprint by monitoring for rapid sequential HTTP POST requests to the router web interface login endpoint originating from a single source IP, consistent with the exploit's credential-stuffing loop behaviour.
  • Alert on HTTP GET requests probing for device model strings 'F9K1009' or 'F9K1010' in response bodies, as the exploit performs device-type detection prior to credential attack.
  • The exploit targets the web interface over HTTP (not HTTPS) on the default router IP; monitor for unauthenticated access to administrative paths (/config.htm, /firmware.htm, /admin.htm) from external or unexpected source IPs.
  • ·Affected firmware versions are specifically 2.00.04 and 2.00.09 on Belkin F9K1009 and F9K1010 models only; detections should be scoped to these device/firmware combinations to reduce false positives.
  • ·The vendor did not respond to disclosure; no patch is confirmed available, meaning affected devices remain persistently vulnerable and network-level controls (firewall, VLAN isolation of management interface) are the primary mitigation.
  • ·The exploit is publicly available on Exploit-DB and actively usable; treat any Belkin F9K1009/F9K1010 device with firmware 2.00.04 or 2.00.09 exposed to the internet as actively at risk.

CVSS provenance

nvdv3.19.8CRITICALCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv4.08.9HIGHCVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.