Vulnerability-Lookup

CNVD-2026-14687

Vulnerability from cnvd - Published: 2026-03-24

Title

Belkin F9K1015命令注入漏洞

Description

Belkin F9K1015是一款WiFi信号扩展器。 Belkin F9K1015存在命令注入漏洞，该漏洞源于对文件/goform/formBSSetSitesurvey中参数wan_ipaddr的错误操作。攻击者可利用该漏洞在系统上执行任意命令。

Severity

高

Formal description

厂商尚未提供漏洞修复方案，请关注厂商主页更新： https://www.belkin.com/

Reference

https://nvd.nist.gov/vuln/detail/CVE-2025-11292

Impacted products

Name
Belkin F9K1015 1.00.10

Show details on source website

JSON

To clipboard

{
  "cves": {
    "cve": {
      "cveNumber": "CVE-2025-11292",
      "cveUrl": "https://nvd.nist.gov/vuln/detail/CVE-2025-11292"
    }
  },
  "description": "Belkin F9K1015\u662f\u4e00\u6b3eWiFi\u4fe1\u53f7\u6269\u5c55\u5668\u3002\n\nBelkin F9K1015\u5b58\u5728\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e\uff0c\u8be5\u6f0f\u6d1e\u6e90\u4e8e\u5bf9\u6587\u4ef6/goform/formBSSetSitesurvey\u4e2d\u53c2\u6570wan_ipaddr\u7684\u9519\u8bef\u64cd\u4f5c\u3002\u653b\u51fb\u8005\u53ef\u5229\u7528\u8be5\u6f0f\u6d1e\u5728\u7cfb\u7edf\u4e0a\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002",
  "formalWay": "\u5382\u5546\u5c1a\u672a\u63d0\u4f9b\u6f0f\u6d1e\u4fee\u590d\u65b9\u6848\uff0c\u8bf7\u5173\u6ce8\u5382\u5546\u4e3b\u9875\u66f4\u65b0\uff1a\r\nhttps://www.belkin.com/",
  "isEvent": "\u901a\u7528\u8f6f\u786c\u4ef6\u6f0f\u6d1e",
  "number": "CNVD-2026-14687",
  "openTime": "2026-03-24",
  "products": {
    "product": "Belkin F9K1015 1.00.10"
  },
  "referenceLink": "https://nvd.nist.gov/vuln/detail/CVE-2025-11292",
  "serverity": "\u9ad8",
  "submitTime": "2025-10-13",
  "title": "Belkin F9K1015\u547d\u4ee4\u6ce8\u5165\u6f0f\u6d1e"
}

CVE-2025-11292 (GCVE-0-2025-11292)

Vulnerability from cvelistv5 – Published: 2025-10-05 14:02 – Updated: 2026-02-24 06:41

Title

Belkin F9K1015 formBSSetSitesurvey command injection

Summary

A weakness has been identified in Belkin F9K1015 1.00.10. Affected is an unknown function of the file /goform/formBSSetSitesurvey. Executing a manipulation of the argument wan_ipaddr can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Severity ?

5.3 (Medium)


                        
                          CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P

6.3 (Medium)


                        
                          CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

6.3 (Medium)


                        
                          CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R

CWE

CWE-77 - Command Injection
CWE-74 - Injection

Assigner

VulDB

References

URL

Tags

	https://vuldb.com/?id.327173	vdb-entrytechnical-description
	https://vuldb.com/?ctiid.327173	signaturepermissions-required
	https://vuldb.com/?submit.661295	third-party-advisory
	https://github.com/panda666-888/vuls/blob/main/be…	related
	https://github.com/panda666-888/vuls/blob/main/be…	exploit

Impacted products

	Vendor	Product	Version
	Belkin	F9K1015	Affected: 1.00.10 cpe:2.3:o:belkin:f9k1015_firmware::::::::

Credits

panda_0x1 (VulDB User) VulDB

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11292",
                "options": [
                  {
                    "Exploitation": "poc"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-10-07T13:07:05.451439Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-10-07T13:07:36.078Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "references": [
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formBSSetSitesurvey.md#poc"
          },
          {
            "tags": [
              "exploit"
            ],
            "url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formBSSetSitesurvey.md"
          }
        ],
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "cpes": [
            "cpe:2.3:o:belkin:f9k1015_firmware:*:*:*:*:*:*:*:*"
          ],
          "product": "F9K1015",
          "vendor": "Belkin",
          "versions": [
            {
              "status": "affected",
              "version": "1.00.10"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "panda_0x1 (VulDB User)"
        },
        {
          "lang": "en",
          "type": "coordinator",
          "value": "VulDB"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "value": "A weakness has been identified in Belkin F9K1015 1.00.10. Affected is an unknown function of the file /goform/formBSSetSitesurvey. Executing a manipulation of the argument wan_ipaddr can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "baseScore": 5.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
            "version": "4.0"
          }
        },
        {
          "cvssV3_1": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.1"
          }
        },
        {
          "cvssV3_0": {
            "baseScore": 6.3,
            "baseSeverity": "MEDIUM",
            "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
            "version": "3.0"
          }
        },
        {
          "cvssV2_0": {
            "baseScore": 6.5,
            "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
            "version": "2.0"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-77",
              "description": "Command Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-74",
              "description": "Injection",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-02-24T06:41:24.365Z",
        "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "shortName": "VulDB"
      },
      "references": [
        {
          "name": "VDB-327173 | Belkin F9K1015 formBSSetSitesurvey command injection",
          "tags": [
            "vdb-entry",
            "technical-description"
          ],
          "url": "https://vuldb.com/?id.327173"
        },
        {
          "name": "VDB-327173 | CTI Indicators (IOB, IOC, TTP, IOA)",
          "tags": [
            "signature",
            "permissions-required"
          ],
          "url": "https://vuldb.com/?ctiid.327173"
        },
        {
          "name": "Submit #661295 | Belkin F9K1015 1.00.10 Command Injection",
          "tags": [
            "third-party-advisory"
          ],
          "url": "https://vuldb.com/?submit.661295"
        },
        {
          "tags": [
            "related"
          ],
          "url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formBSSetSitesurvey.md"
        },
        {
          "tags": [
            "exploit"
          ],
          "url": "https://github.com/panda666-888/vuls/blob/main/belkin/f9k1015/formBSSetSitesurvey.md#poc"
        }
      ],
      "timeline": [
        {
          "lang": "en",
          "time": "2025-10-04T00:00:00.000Z",
          "value": "Advisory disclosed"
        },
        {
          "lang": "en",
          "time": "2025-10-04T02:00:00.000Z",
          "value": "VulDB entry created"
        },
        {
          "lang": "en",
          "time": "2025-10-08T00:39:28.000Z",
          "value": "VulDB entry last update"
        }
      ],
      "title": "Belkin F9K1015 formBSSetSitesurvey command injection"
    }
  },
  "cveMetadata": {
    "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
    "assignerShortName": "VulDB",
    "cveId": "CVE-2025-11292",
    "datePublished": "2025-10-05T14:02:05.574Z",
    "dateReserved": "2025-10-04T18:45:15.714Z",
    "dateUpdated": "2026-02-24T06:41:24.365Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CNVD-2026-14687

CVE-2025-11292 (GCVE-0-2025-11292)

Tags

Sightings

Nomenclature