Skip to main content
CVE Vulnerability Database

CVE-2025-7082: Belkin F9K1122 Firmware RCE Vulnerability

CVE-2025-7082 is a critical remote code execution vulnerability in Belkin F9K1122 firmware that enables OS command injection through web interface parameters. This article covers technical details, exploitation risks, and mitigation.

Published:

CVE-2025-7082 Overview

CVE-2025-7082 is an operating system command injection vulnerability in the Belkin F9K1122 wireless router running firmware version 1.00.33. The flaw resides in the formBSSetSitesurvey function within the /goform/formBSSetSitesurvey endpoint of the webs component. Attacker-controlled values supplied through the wan_ipaddr, wan_netmask, wan_gateway, and wl_ssid parameters are passed directly to the underlying operating system without sanitization. The vendor was notified prior to public disclosure but did not respond, and no patch has been published. The exploit has been disclosed publicly, increasing the risk of opportunistic abuse against exposed devices.

Critical Impact

An authenticated remote attacker can inject arbitrary operating system commands into the router by manipulating WAN configuration parameters, gaining the ability to execute commands within the device's web server context.

Affected Products

  • Belkin F9K1122 router (hardware)
  • Belkin F9K1122 firmware version 1.00.33
  • Devices exposing the /goform/formBSSetSitesurvey endpoint of the webs component

Discovery Timeline

  • 2025-07-06 - CVE-2025-7082 published to the National Vulnerability Database (NVD)
  • 2026-04-29 - Last updated in NVD database

Technical Details for CVE-2025-7082

Vulnerability Analysis

The vulnerability is classified as OS Command Injection [CWE-77]. The formBSSetSitesurvey handler in the router's webs binary processes WAN configuration parameters submitted through HTTP POST requests. The handler concatenates the values of wan_ipaddr, wan_netmask, wan_gateway, and wl_ssid into shell command strings without input validation, escaping, or use of safe execution primitives.

Because the router's web interface executes these commands with the privileges of the embedded web server, successful injection yields command execution on the device. The attack vector is network-based and can be triggered remotely against any reachable management interface. Public disclosure of the proof of concept lowers the technical barrier for exploitation. The Exploit Prediction Scoring System (EPSS) places this issue in the 92nd percentile, reflecting elevated likelihood of exploitation attempts despite the low CVSS base score.

Root Cause

The root cause is the absence of input sanitization in the formBSSetSitesurvey function. User-supplied WAN parameters are appended into shell command strings without filtering shell metacharacters such as ;, |, &, backticks, or $(). The function relies on caller trust rather than enforcing strict character whitelisting or invoking system utilities through argument arrays.

Attack Vector

An attacker with access to the router's web management interface submits a crafted POST request to /goform/formBSSetSitesurvey. By embedding shell metacharacters in any of the four vulnerable parameters, the attacker terminates the intended command and appends arbitrary instructions. The proof of concept published on the wudipjq GitHub repository demonstrates injection payloads. Refer to the GitHub PoC Repository for parameter-level technical details.

Detection Methods for CVE-2025-7082

Indicators of Compromise

  • Unexpected HTTP POST requests to /goform/formBSSetSitesurvey containing shell metacharacters such as ;, |, &, backticks, or $() in wan_ipaddr, wan_netmask, wan_gateway, or wl_ssid fields.
  • Outbound connections initiated by the router to unfamiliar hosts, indicating possible reverse shell or downloader activity.
  • Unexplained changes to router configuration, DNS settings, or firmware state.

Detection Strategies

  • Inspect web access logs on the router or upstream proxies for requests to the formBSSetSitesurvey endpoint that include non-numeric characters in IP-related fields.
  • Use network intrusion detection signatures to flag HTTP request bodies containing command injection patterns directed at /goform/ endpoints.
  • Monitor for SSID values containing shell control characters, which legitimate clients should never produce.

Monitoring Recommendations

  • Capture and review router management traffic at the network perimeter, particularly when the device is reachable from untrusted networks.
  • Alert on new outbound TCP or UDP flows originating from the router's management IP that deviate from baseline behavior.
  • Track administrative authentication events to the router and correlate them with subsequent configuration changes.

How to Mitigate CVE-2025-7082

Immediate Actions Required

  • Remove the Belkin F9K1122 from any internet-facing position and restrict the management interface to a trusted administrative VLAN.
  • Disable remote administration features on the router and enforce strong, unique administrative credentials.
  • Evaluate replacement of the device, as the F9K1122 is a legacy product and the vendor did not respond to disclosure.

Patch Information

No vendor patch is available. According to the disclosure, Belkin was contacted prior to publication and did not respond. Organizations should treat affected devices as unpatched and plan for replacement or compensating controls. Monitor the VulDB advisory #314996 for any future vendor updates.

Workarounds

  • Place the router behind a network firewall and block external access to TCP ports used by the web administration interface.
  • Apply access control lists that permit management traffic only from designated administrator workstations.
  • Replace the F9K1122 with a currently supported router that receives security updates from its vendor.
bash
# Example: restrict access to the router management interface using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s <admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s <admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.