Cyber Resilience

CVE-2025-11292

LowPublic PoC

Published: 05 October 2025

Published
05 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0058 69.4th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11292 is a low-severity Injection (CWE-74) vulnerability in Belkin F9K1015 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-11292 is a command injection vulnerability affecting the Belkin F9K1015 router on firmware version 1.00.10. The flaw exists in an unknown function of the /goform/formBSSetSitesurvey file, where manipulation of the wan_ipaddr argument enables attackers to inject commands.

The vulnerability is remotely exploitable over the network with low attack complexity, requiring low privileges and no user interaction, as indicated by its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers with such privileges can achieve limited impacts on confidentiality, integrity, and availability through command execution, mapped to CWE-74 and CWE-77.

References point to a GitHub repository containing proof-of-concept exploit code and VulDB entries detailing the issue. The vendor was contacted early for disclosure but provided no response, and no official patches or mitigation guidance are available.

EU & UK References

Vulnerability details

A weakness has been identified in Belkin F9K1015 1.00.10. Affected is an unknown function of the file /goform/formBSSetSitesurvey. Executing a manipulation of the argument wan_ipaddr can lead to command injection. The attack can be launched remotely. The exploit has been…

more

made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.008 Network Device CLI Execution
Adversaries may abuse scripting or built-in command line interpreters (CLI) on network devices to execute malicious command and payloads.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Command injection via unauthenticated remote web form on router (/goform/formBSSetSitesurvey, wan_ipaddr) enables initial access by exploiting public-facing application (T1190), indirect command execution (T1202), and network device CLI abuse (T1059.008).

CVEs Like This One

CVE-2025-11298Same product: Belkin F9K1015
CVE-2025-11303Same product: Belkin F9K1015
CVE-2025-11296Same product: Belkin F9K1015
CVE-2025-11300Same product: Belkin F9K1015
CVE-2026-5614Same product: Belkin F9K1015
CVE-2025-11295Same product: Belkin F9K1015
CVE-2025-11294Same product: Belkin F9K1015
CVE-2025-11302Same product: Belkin F9K1015
CVE-2025-11293Same product: Belkin F9K1015
CVE-2026-5610Same product: Belkin F9K1015

Affected Assets

belkin
f9k1015 firmware
1.00.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly blocks command injection by validating/sanitizing the wan_ipaddr argument before it reaches the formBSSetSitesurvey handler.

prevent

Limits the privileges available to the low-privilege account that can reach the vulnerable endpoint, reducing the scope of commands that can be executed.

prevent

Restricts network access to the router's management interface, preventing remote unauthenticated or low-privilege attackers from reaching /goform/formBSSetSitesurvey.

References