CVE-2025-11299
Published: 05 October 2025
Summary
CVE-2025-11299 is a high-severity Improper Restriction of Operations within the Bounds of a Memory Buffer (CWE-119) vulnerability in Belkin F9K1015 Firmware. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 43.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-16 (Memory Protection).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of inputs such as the pppUserName argument to prevent buffer overflows from oversized or malformed data in the /goform/formWanTcpipSetup endpoint.
Implements memory protections like stack canaries, ASLR, and DEP to mitigate exploitation of buffer overflows even if input validation fails.
Mandates timely remediation of identified flaws like this buffer overflow through firmware updates or patches when made available by the vendor.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Buffer overflow in the public-facing web management interface (/goform/formWanTcpipSetup) via pppUserName parameter enables remote exploitation for initial access, directly facilitating Exploit Public-Facing Application.
NVD Description
A vulnerability was identified in Belkin F9K1015 1.00.10. The affected element is an unknown function of the file /goform/formWanTcpipSetup. The manipulation of the argument pppUserName leads to buffer overflow. It is possible to initiate the attack remotely. The exploit is…
more
publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Deeper analysisAI
CVE-2025-11299 is a buffer overflow vulnerability in Belkin F9K1015 firmware version 1.00.10. The flaw affects an unknown function within the /goform/formWanTcpipSetup file, where manipulation of the pppUserName argument triggers the overflow. Published on 2025-10-05, it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and maps to CWE-119 and CWE-120.
The vulnerability enables remote exploitation by attackers possessing low privileges. No user interaction is required, and attacks have low complexity. Successful exploitation can result in high impacts to confidentiality, integrity, and availability, potentially allowing arbitrary code execution or denial of service on the affected device.
Advisories from VulDB indicate the vendor was contacted early but provided no response, with no patches or official mitigations available. A proof-of-concept exploit is publicly hosted on GitHub, increasing the risk of active misuse.
The exploit is publicly available and might be used in real-world attacks, though no confirmed in-the-wild exploitation has been reported in the provided details.
Details
- CWE(s)