Skip to main content

F9K1015 CVE-2026-5614

| EUVDEUVD-2026-19158 HIGH
Stack-based Buffer Overflow (CWE-121)
2026-04-06 VulDB GHSA-9grv-gr5x-p4v6
7.4
CVSS 4.0 · NVD
Share

Severity by source

NVD PRIMARY
7.4 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
X

Lifecycle Timeline

4
PoC Detected
Apr 07, 2026 - 13:20 vuln.today
Public exploit code
EUVD ID Assigned
Apr 06, 2026 - 03:45 euvd
EUVD-2026-19158
Analysis Generated
Apr 06, 2026 - 03:45 vuln.today
CVE Published
Apr 06, 2026 - 02:45 nvd
HIGH 7.4

DescriptionCVE.org

A security flaw has been discovered in Belkin F9K1015 1.00.10. Impacted is the function formSetPassword of the file /goform/formSetPassword. The manipulation of the argument webpage results in stack-based buffer overflow. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

AnalysisAI

Stack-based buffer overflow in Belkin F9K1015 v1.00.10 allows authenticated remote attackers to achieve code execution via the formSetPassword function. The vulnerability requires low-privilege credentials but no user interaction, carrying a CVSS score of 8.8 (High). Public exploit code exists on GitHub, significantly lowering the barrier to exploitation, though no active exploitation is confirmed (not in CISA KEV). The vendor did not respond to responsible disclosure attempts.

Technical ContextAI

This vulnerability (CWE-121: Stack-based Buffer Overflow) affects the formSetPassword function in the /goform/formSetPassword endpoint of Belkin F9K1015 wireless router firmware version 1.00.10. Stack-based buffer overflows occur when user-supplied data exceeds the allocated buffer size on the stack, allowing attackers to overwrite return addresses and execute arbitrary code. The specific attack vector involves manipulating the 'webpage' parameter during password configuration operations. The CPE identifier (cpe:2.3:a:belkin:f9k1015:*:*:*:*:*:*:*:*) confirms this affects the Belkin F9K1015 product line. Stack overflows in embedded device web interfaces are particularly critical because these systems often lack modern exploit mitigations like ASLR or stack canaries, and the web interface typically runs with elevated privileges necessary for device configuration.

RemediationAI

No vendor-released patch identified at time of analysis, as Belkin did not respond to vulnerability disclosure attempts per the original report. Primary mitigation: discontinue use of Belkin F9K1015 routers and replace with actively supported hardware from vendors with established security update programs. If immediate replacement is not feasible, implement defense-in-depth controls: disable remote administration entirely, restrict web interface access to trusted local network segments only via firewall rules, change default administrative credentials to strong unique passwords exceeding 20 characters, monitor device logs for unusual authentication attempts or configuration changes, and isolate the router on a separate network segment if possible. Organizations should prioritize hardware replacement given the combination of public exploit availability, vendor abandonment, and the router's role as a network perimeter device. Consult VulDB advisory at https://vuldb.com/vuln/355405 and technical details at https://github.com/Litengzheng/vuldb_new/blob/main/Belkin%20F9K1015/vul_11/README.md for additional context.

Share

CVE-2026-5614 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy