CVE-2025-11292
Published: 05 October 2025
Summary
CVE-2025-11292 is a low-severity Injection (CWE-74) vulnerability in Belkin F9K1015 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-11292 is a command injection vulnerability affecting the Belkin F9K1015 router on firmware version 1.00.10. The flaw exists in an unknown function of the /goform/formBSSetSitesurvey file, where manipulation of the wan_ipaddr argument enables attackers to inject commands.
The vulnerability is remotely exploitable over the network with low attack complexity, requiring low privileges and no user interaction, as indicated by its CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L). Attackers with such privileges can achieve limited impacts on confidentiality, integrity, and availability through command execution, mapped to CWE-74 and CWE-77.
References point to a GitHub repository containing proof-of-concept exploit code and VulDB entries detailing the issue. The vendor was contacted early for disclosure but provided no response, and no official patches or mitigation guidance are available.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32238
Vulnerability details
A weakness has been identified in Belkin F9K1015 1.00.10. Affected is an unknown function of the file /goform/formBSSetSitesurvey. Executing a manipulation of the argument wan_ipaddr can lead to command injection. The attack can be launched remotely. The exploit has been…
more
made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection via unauthenticated remote web form on router (/goform/formBSSetSitesurvey, wan_ipaddr) enables initial access by exploiting public-facing application (T1190), indirect command execution (T1202), and network device CLI abuse (T1059.008).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly blocks command injection by validating/sanitizing the wan_ipaddr argument before it reaches the formBSSetSitesurvey handler.
Limits the privileges available to the low-privilege account that can reach the vulnerable endpoint, reducing the scope of commands that can be executed.
Restricts network access to the router's management interface, preventing remote unauthenticated or low-privilege attackers from reaching /goform/formBSSetSitesurvey.