CVE-2026-5614

HighPublic PoC

Published: 06 April 2026

Published

06 April 2026

Modified

30 April 2026

KEV Added

—

Patch

—

CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

EPSS Score 0.0011 28.5th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

A security flaw has been discovered in Belkin F9K1015 1.00.10. Impacted is the function formSetPassword of the file /goform/formSetPassword. The manipulation of the argument webpage results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been…

released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Implements input validation on the 'webpage' argument in formSetPassword to prevent stack-based buffer overflows from malformed inputs.

SI-16 Memory Protection good match

prevent

Deploys memory protection mechanisms such as stack canaries or address space layout randomization to mitigate exploitation of the stack-based buffer overflow.

SI-2 Flaw Remediation partial match

preventrecover

Establishes processes for timely flaw remediation, including applying vendor patches or replacing vulnerable firmware when available for this unpatched router vulnerability.

Security SummaryAI

CVE-2026-5614 is a stack-based buffer overflow vulnerability affecting the Belkin F9K1015 router on firmware version 1.00.10. The issue lies in the formSetPassword function within the /goform/formSetPassword file, where manipulation of the "webpage" argument triggers the overflow.

The vulnerability enables remote exploitation by attackers with low privileges (PR:L), requiring low attack complexity (AC:L) and no user interaction (UI:N). Successful attacks can result in high impacts to confidentiality, integrity, and availability (C:H/I:H/A:H), earning a CVSS v3.1 base score of 8.8. It maps to CWE-119 (Improper Restriction of Operations within the Bounds of a Memory Buffer) and CWE-121 (Stack-based Buffer Overflow). A public exploit has been released.

Advisories from VulDB indicate the vendor was contacted early regarding disclosure but provided no response. No patches or official mitigations are available, with references pointing to VulDB vulnerability details and a GitHub repository hosting exploit information.

The exploit's public release increases the risk of active attacks against unpatched devices.

Details

CWE(s): CWE-119 CWE-121

Affected Products

belkin

f9k1015 firmware

1.00.10

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The remote stack-based buffer overflow in the public-facing web form (/goform/formSetPassword) on the router directly enables exploitation of a public-facing application for initial access and remote code execution.

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

References

https://github.com/Litengzheng/vuldb_new/blob/main/Belkin%20F9K1015/vul_11/README.md
Exploit, Third Party Advisory · cna@vuldb.com
https://vuldb.com/submit/785554
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/355405
Third Party Advisory, VDB Entry · cna@vuldb.com
https://vuldb.com/vuln/355405/cti
Permissions Required, VDB Entry · cna@vuldb.com