CVE-2025-11296

CVE-2025-11296 is a buffer overflow vulnerability affecting the Belkin F9K1015 router running firmware version 1.00.10. The flaw resides in unknown code within the /goform/formPPTPSetup file, where manipulation of the pptpUserName argument triggers the overflow. Classified under CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-120 (Buffer Copy without Checking Size of Input), it carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H), indicating high severity due to its potential for significant impact.

An attacker with low privileges (PR:L) can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Successful exploitation allows arbitrary code execution, granting high levels of confidentiality, integrity, and availability impact, potentially leading to full router compromise, such as unauthorized access, data theft, or further network pivoting.

Advisories from VulDB and a public GitHub repository detail the issue, including a proof-of-concept exploit. The vendor was contacted early regarding disclosure but provided no response, and no patches or mitigations are mentioned. The exploit has been publicly disclosed and may be actively used.

In notable context, the vulnerability was published on 2025-10-05, with immediate public availability of exploit code, increasing the risk of real-world attacks against unpatched Belkin F9K1015 devices.