CVE-2025-11298
Published: 05 October 2025
Summary
CVE-2025-11298 is a low-severity Injection (CWE-74) vulnerability in Belkin F9K1015 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-11298 is a command injection vulnerability affecting the Belkin F9K1015 router running firmware version 1.00.10. The flaw resides in an unknown function within the /goform/formSetWanStatic CGI script, where the m_wan_ipaddr argument is processed insecurely, enabling attackers to inject arbitrary commands. This issue is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
The vulnerability can be exploited remotely by an attacker who has low privileges, such as an authenticated user on the device. By manipulating the m_wan_ipaddr parameter during a request to the affected endpoint, the attacker can execute arbitrary commands on the underlying system, potentially leading to limited impacts on confidentiality, integrity, and availability.
No vendor patches or official mitigations are available, as Belkin was notified early but did not respond. A proof-of-concept exploit has been publicly disclosed on GitHub, including details in the referenced repository.
The exploit's public availability increases the risk of real-world attacks against unpatched Belkin F9K1015 devices.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32237
Vulnerability details
A vulnerability was determined in Belkin F9K1015 1.00.10. Impacted is an unknown function of the file /goform/formSetWanStatic. Executing a manipulation of the argument m_wan_ipaddr can lead to command injection. The attack may be performed from remote. The exploit has been…
more
publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection vulnerability in the Belkin F9K1015 router's web interface (/goform/formSetWanStatic) via m_wan_ipaddr enables exploitation of a public-facing application (T1190) and indirect command execution (T1202), as explicitly mapped in the VulDB advisory.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires validation and sanitization of the m_wan_ipaddr argument in /goform/formSetWanStatic to block command injection payloads.
Restricts authenticated users to the minimum privileges needed for WAN configuration, limiting the scope of injectable commands.
Enforces boundary protections that can restrict remote access to the router's management CGI endpoints from untrusted networks.