Cyber Resilience

CVE-2025-11303

LowPublic PoC

Published: 05 October 2025

Published
05 October 2025
Modified
29 April 2026
KEV Added
Patch
CVSS Score v4 2.1 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0058 69.4th percentile
Risk Priority 5 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11303 is a low-severity Injection (CWE-74) vulnerability in Belkin F9K1015 Firmware. Its CVSS base score is 2.1 (Low).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).

Deeper analysis

CVE-2025-11303 is a command injection vulnerability affecting the Belkin F9K1015 router running firmware version 1.00.10. The flaw resides in an unknown function within the /goform/mp file, where manipulation of the "command" argument enables arbitrary command execution. It is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.

The vulnerability can be exploited remotely by an attacker who possesses low privileges (PR:L), requiring network access with low attack complexity and no user interaction. Successful exploitation allows limited impacts, including low-level disclosure of confidential information, modification of data or system settings, and denial of service through reduced availability.

References, including a public proof-of-concept on GitHub and entries on VulDB, confirm the exploit is publicly available and may be used against vulnerable devices. The vendor was notified early but has not responded or issued any patches or mitigation guidance.

EU & UK References

Vulnerability details

A vulnerability was detected in Belkin F9K1015 1.00.10. Affected is an unknown function of the file /goform/mp. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. The exploit is now public and…

more

may be used. The vendor was contacted early about this disclosure but did not respond in any way.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1202 Indirect Command Execution Stealth
Adversaries may abuse utilities that allow for command execution to bypass security restrictions that limit the use of command-line interpreters.
Why these techniques?

Remote command injection in public-facing router web interface (/goform/mp) enables exploitation of public-facing applications (T1190), command and scripting interpreter execution (T1059), and indirect command execution (T1202 per VulDB advisory).

CVEs Like This One

CVE-2025-11298Same product: Belkin F9K1015
CVE-2025-11292Same product: Belkin F9K1015
CVE-2025-11296Same product: Belkin F9K1015
CVE-2025-11300Same product: Belkin F9K1015
CVE-2026-5614Same product: Belkin F9K1015
CVE-2025-11295Same product: Belkin F9K1015
CVE-2025-11294Same product: Belkin F9K1015
CVE-2025-11302Same product: Belkin F9K1015
CVE-2025-11293Same product: Belkin F9K1015
CVE-2026-5610Same product: Belkin F9K1015

Affected Assets

belkin
f9k1015 firmware
1.00.10

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation and neutralization of untrusted input in the 'command' argument of /goform/mp to block command injection.

prevent

Restricts the privileges available to the low-privilege account that can reach the vulnerable endpoint, limiting what injected commands can do.

prevent

Boundary-protection mechanisms can filter or block malicious command payloads before they reach the router's web interface.

References