Belkin F9K1015 Stack-Based Buffer Overflow Vulnerability (CVE-2026-5612)

CVE-2026-5612 is a critical vulnerability affecting Belkin F9K1015 router firmware version 1.00.10. Specifically, a stack-based buffer overflow can be triggered in the formWlEncrypt function located within the /goform/formWlEncrypt file. This vulnerability allows a remote attacker to inject arbitrary code by sending a specially crafted request to the router, manipulating the webpage argument. This exploit has been publicly disclosed, increasing the risk of widespread exploitation. Successful exploitation grants the attacker complete control over the device. The vendor was notified, but no response has been received. Given the ease of remote exploitation and the availability of exploit code, immediate action is required to mitigate the risks.

Attack Chain

1. The attacker identifies a Belkin F9K1015 router running firmware version 1.00.10.
2. The attacker crafts a malicious HTTP POST request targeting the /goform/formWlEncrypt endpoint.
3. The crafted request includes an overly long string in the webpage argument to trigger the buffer overflow.
4. The router’s webserver processes the request and calls the formWlEncrypt function.
5. The formWlEncrypt function copies the attacker-controlled webpage argument into a fixed-size buffer on the stack without proper bounds checking.
6. The overflow overwrites adjacent memory regions on the stack, including the return address.
7. When the formWlEncrypt function returns, control is transferred to the attacker-controlled address.
8. The attacker executes arbitrary code, potentially gaining full control over the router and its network.

Impact

Successful exploitation of CVE-2026-5612 can lead to complete compromise of the Belkin F9K1015 router. An attacker can execute arbitrary code, potentially installing malware, intercepting network traffic, or using the router as a pivot point for further attacks within the network. Given that this vulnerability is remotely exploitable and a public exploit is available, any unpatched Belkin F9K1015 device is at high risk. The lack of vendor response increases the risk, placing responsibility on network defenders.

Recommendation

• Monitor web server logs for POST requests to /goform/formWlEncrypt with abnormally long webpage parameters to detect potential exploitation attempts. See the provided Sigma rule for an example.
• Implement network intrusion detection system (NIDS) rules to identify and block suspicious traffic targeting the /goform/formWlEncrypt endpoint.
• Since a public exploit exists, consider blocking all traffic to the /goform/formWlEncrypt endpoint as a temporary mitigation measure until a patch is available.
• Unfortunately, since the vendor is non-responsive, end-of-life (EOL) of these devices should be considered.