Cyber Resilience

CVE-2025-11298

LowPublic PoC

Published: 05 October 2025

Published
05 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0058 69.4th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11298 is a low-severity Injection (CWE-74) vulnerability in Belkin F9K1015 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-11298 is a command injection vulnerability affecting the Belkin F9K1015 router running firmware version 1.00.10. The flaw resides in an unknown function within the /goform/formSetWanStatic CGI script, where the m_wan_ipaddr argument is processed insecurely, enabling attackers to inject arbitrary commands. This issue is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

The vulnerability can be exploited remotely by an attacker who has low privileges, such as an authenticated user on the device. By manipulating the m_wan_ipaddr parameter during a request to the affected endpoint, the attacker can execute arbitrary commands on the underlying system, potentially leading to limited impacts on confidentiality, integrity, and availability.

No vendor patches or official mitigations are available, as Belkin was notified early but did not respond. A proof-of-concept exploit has been publicly disclosed on GitHub, including details in the referenced repository.

The exploit's public availability increases the risk of real-world attacks against unpatched Belkin F9K1015 devices.

EU & UK References

Vulnerability details

A vulnerability was determined in Belkin F9K1015 1.00.10. Impacted is an unknown function of the file /goform/formSetWanStatic. Executing a manipulation of the argument m_wan_ipaddr can lead to command injection. The attack may be performed from remote. The exploit has been…

more

publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Remote command injection vulnerability in the Belkin F9K1015 router's web interface (/goform/formSetWanStatic) via m_wan_ipaddr enables exploitation of a public-facing application (T1190) and indirect command execution (T1202), as explicitly mapped in the VulDB advisory.

CVEs Like This One

CVE-2025-11292Same product: Belkin F9K1015
CVE-2025-11303Same product: Belkin F9K1015
CVE-2025-11296Same product: Belkin F9K1015
CVE-2025-11300Same product: Belkin F9K1015
CVE-2026-5614Same product: Belkin F9K1015
CVE-2025-11295Same product: Belkin F9K1015
CVE-2025-11294Same product: Belkin F9K1015
CVE-2025-11302Same product: Belkin F9K1015
CVE-2025-11293Same product: Belkin F9K1015
CVE-2026-5610Same product: Belkin F9K1015

Affected Assets

belkin
f9k1015 firmware
1.00.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires validation and sanitization of the m_wan_ipaddr argument in /goform/formSetWanStatic to block command injection payloads.

prevent

Restricts authenticated users to the minimum privileges needed for WAN configuration, limiting the scope of injectable commands.

prevent

Enforces boundary protections that can restrict remote access to the router's management CGI endpoints from untrusted networks.

References