CVE-2025-11303
Published: 05 October 2025
Summary
CVE-2025-11303 is a low-severity Injection (CWE-74) vulnerability in Belkin F9K1015 Firmware. Its CVSS base score is 2.1 (Low).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked in the top 30.6% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and AC-6 (Least Privilege).
Deeper analysis
CVE-2025-11303 is a command injection vulnerability affecting the Belkin F9K1015 router running firmware version 1.00.10. The flaw resides in an unknown function within the /goform/mp file, where manipulation of the "command" argument enables arbitrary command execution. It is classified under CWE-74 (Improper Neutralization of Special Elements used in an SQL Command) and CWE-77 (Command Injection), with a CVSS v3.1 base score of 6.3 (AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L), indicating medium severity.
The vulnerability can be exploited remotely by an attacker who possesses low privileges (PR:L), requiring network access with low attack complexity and no user interaction. Successful exploitation allows limited impacts, including low-level disclosure of confidential information, modification of data or system settings, and denial of service through reduced availability.
References, including a public proof-of-concept on GitHub and entries on VulDB, confirm the exploit is publicly available and may be used against vulnerable devices. The vendor was notified early but has not responded or issued any patches or mitigation guidance.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-32227
Vulnerability details
A vulnerability was detected in Belkin F9K1015 1.00.10. Affected is an unknown function of the file /goform/mp. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. The exploit is now public and…
more
may be used. The vendor was contacted early about this disclosure but did not respond in any way.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Remote command injection in public-facing router web interface (/goform/mp) enables exploitation of public-facing applications (T1190), command and scripting interpreter execution (T1059), and indirect command execution (T1202 per VulDB advisory).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly requires validation and neutralization of untrusted input in the 'command' argument of /goform/mp to block command injection.
Restricts the privileges available to the low-privilege account that can reach the vulnerable endpoint, limiting what injected commands can do.
Boundary-protection mechanisms can filter or block malicious command payloads before they reach the router's web interface.