CVE-2025-7082 Overview
CVE-2025-7082 is an operating system command injection vulnerability in the Belkin F9K1122 wireless router running firmware version 1.00.33. The flaw resides in the formBSSetSitesurvey function within the /goform/formBSSetSitesurvey endpoint of the webs component. Attacker-controlled values supplied through the wan_ipaddr, wan_netmask, wan_gateway, and wl_ssid parameters are passed directly to the underlying operating system without sanitization. The vendor was notified prior to public disclosure but did not respond, and no patch has been published. The exploit has been disclosed publicly, increasing the risk of opportunistic abuse against exposed devices.
Critical Impact
An authenticated remote attacker can inject arbitrary operating system commands into the router by manipulating WAN configuration parameters, gaining the ability to execute commands within the device's web server context.
Affected Products
- Belkin F9K1122 router (hardware)
- Belkin F9K1122 firmware version 1.00.33
- Devices exposing the /goform/formBSSetSitesurvey endpoint of the webs component
Discovery Timeline
- 2025-07-06 - CVE-2025-7082 published to the National Vulnerability Database (NVD)
- 2026-04-29 - Last updated in NVD database
Technical Details for CVE-2025-7082
Vulnerability Analysis
The vulnerability is classified as OS Command Injection [CWE-77]. The formBSSetSitesurvey handler in the router's webs binary processes WAN configuration parameters submitted through HTTP POST requests. The handler concatenates the values of wan_ipaddr, wan_netmask, wan_gateway, and wl_ssid into shell command strings without input validation, escaping, or use of safe execution primitives.
Because the router's web interface executes these commands with the privileges of the embedded web server, successful injection yields command execution on the device. The attack vector is network-based and can be triggered remotely against any reachable management interface. Public disclosure of the proof of concept lowers the technical barrier for exploitation. The Exploit Prediction Scoring System (EPSS) places this issue in the 92nd percentile, reflecting elevated likelihood of exploitation attempts despite the low CVSS base score.
Root Cause
The root cause is the absence of input sanitization in the formBSSetSitesurvey function. User-supplied WAN parameters are appended into shell command strings without filtering shell metacharacters such as ;, |, &, backticks, or $(). The function relies on caller trust rather than enforcing strict character whitelisting or invoking system utilities through argument arrays.
Attack Vector
An attacker with access to the router's web management interface submits a crafted POST request to /goform/formBSSetSitesurvey. By embedding shell metacharacters in any of the four vulnerable parameters, the attacker terminates the intended command and appends arbitrary instructions. The proof of concept published on the wudipjq GitHub repository demonstrates injection payloads. Refer to the GitHub PoC Repository for parameter-level technical details.
Detection Methods for CVE-2025-7082
Indicators of Compromise
- Unexpected HTTP POST requests to /goform/formBSSetSitesurvey containing shell metacharacters such as ;, |, &, backticks, or $() in wan_ipaddr, wan_netmask, wan_gateway, or wl_ssid fields.
- Outbound connections initiated by the router to unfamiliar hosts, indicating possible reverse shell or downloader activity.
- Unexplained changes to router configuration, DNS settings, or firmware state.
Detection Strategies
- Inspect web access logs on the router or upstream proxies for requests to the formBSSetSitesurvey endpoint that include non-numeric characters in IP-related fields.
- Use network intrusion detection signatures to flag HTTP request bodies containing command injection patterns directed at /goform/ endpoints.
- Monitor for SSID values containing shell control characters, which legitimate clients should never produce.
Monitoring Recommendations
- Capture and review router management traffic at the network perimeter, particularly when the device is reachable from untrusted networks.
- Alert on new outbound TCP or UDP flows originating from the router's management IP that deviate from baseline behavior.
- Track administrative authentication events to the router and correlate them with subsequent configuration changes.
How to Mitigate CVE-2025-7082
Immediate Actions Required
- Remove the Belkin F9K1122 from any internet-facing position and restrict the management interface to a trusted administrative VLAN.
- Disable remote administration features on the router and enforce strong, unique administrative credentials.
- Evaluate replacement of the device, as the F9K1122 is a legacy product and the vendor did not respond to disclosure.
Patch Information
No vendor patch is available. According to the disclosure, Belkin was contacted prior to publication and did not respond. Organizations should treat affected devices as unpatched and plan for replacement or compensating controls. Monitor the VulDB advisory #314996 for any future vendor updates.
Workarounds
- Place the router behind a network firewall and block external access to TCP ports used by the web administration interface.
- Apply access control lists that permit management traffic only from designated administrator workstations.
- Replace the F9K1122 with a currently supported router that receives security updates from its vendor.
# Example: restrict access to the router management interface using iptables on an upstream gateway
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -s <admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 80 -j DROP
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -s <admin_subnet> -j ACCEPT
iptables -A FORWARD -p tcp -d <router_ip> --dport 443 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

