CVE-2025-11778 – A stack-based buffer overflow vulnerability in ... (How to Fix)

Q: What is the severity of CVE-2025-11778?

CVE-2025-11778 has a CVSS score of 9.8 (CRITICAL). A stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v0.9.2 allows remote attackers to execute arbitrary code through memory corruption in the TACACSPLUS implementation. This affects industrial control systems using these specific PLC models, potentially compromising critical infrastructure operations.

📋 TL;DR

A stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v0.9.2 allows remote attackers to execute arbitrary code through memory corruption in the TACACSPLUS implementation. This affects industrial control systems using these specific PLC models, potentially compromising critical infrastructure operations.

💻 Affected Systems

Products:

Circutor SGE-PLC1000
Circutor SGE-PLC50

Versions: v0.9.2

Operating Systems: Embedded firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vulnerability exists in the TACACSPLUS implementation's read_packet() function.

📦 What is this software?

Sge Plc1000 Firmware by Circutor

View all CVEs affecting Sge Plc1000 Firmware →

Sge Plc50 Firmware by Circutor

View all CVEs affecting Sge Plc50 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete system compromise leading to remote code execution, device takeover, and potential disruption of industrial processes or safety systems.

🟠

Likely Case

Remote code execution allowing attackers to manipulate PLC operations, modify control logic, or establish persistence in industrial networks.

🟢

If Mitigated

Limited impact if devices are isolated behind firewalls with strict network segmentation and access controls.

🌐 Internet-Facing: HIGH - CVSS 9.8 indicates critical severity with network-accessible attack vector.

🏢 Internal Only: HIGH - Even internally, the vulnerability allows remote exploitation within the network.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Buffer overflow vulnerabilities in network services typically have low exploitation complexity once details are understood.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in provided reference

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

Restart Required: Yes

Instructions:

1. Monitor Circutor vendor website for security updates. 2. Apply firmware patches when available. 3. Restart affected devices after patching.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected PLCs from untrusted networks using firewalls and VLANs.

Access Control Lists

all

Implement strict network ACLs to limit access to TACACSPLUS service (typically port 49).

🧯 If You Can't Patch

Segment affected devices into isolated network zones with no internet access
Implement intrusion detection systems to monitor for exploitation attempts

🔍 How to Verify

Check if Vulnerable:

Check device firmware version via web interface or serial console. If version is v0.9.2, device is vulnerable.

Check Version:

Check via device web interface or manufacturer documentation for version query methods.

Verify Fix Applied:

Verify firmware version has been updated to a version later than v0.9.2.

📡 Detection & Monitoring

Log Indicators:

Unusual TACACSPLUS connection attempts
Memory access violations in system logs
Unexpected device reboots

Network Indicators:

Unusual traffic to port 49 (TACACSPLUS)
Malformed packets to PLC network services

SIEM Query:

source_ip:* AND dest_port:49 AND (packet_size:>normal OR protocol_anomaly:true)

📊 Metadata

CVE ID: CVE-2025-11778

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

EPSS Score: 0.06% exploit probability (19.8th percentile)

Published: December 2, 2025

Last Updated: December 3, 2025

🔗 References

https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11778, you might also want to check these: