CVE-2025-11779
📋 TL;DR
A stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 allows remote attackers to execute arbitrary code via the 'SetLan' function in the management web interface. This affects industrial control systems using these specific PLC models, potentially allowing attackers to take full control of the device.
💻 Affected Systems
- Circutor SGE-PLC1000
- Circutor SGE-PLC50
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to remote code execution, potential lateral movement within industrial networks, and disruption of physical processes controlled by the PLC.
Likely Case
Remote code execution allowing attackers to modify PLC logic, disrupt operations, or establish persistence in industrial networks.
If Mitigated
Limited impact if devices are isolated from untrusted networks and have strict access controls, though the vulnerability remains present.
🎯 Exploit Status
The vulnerability requires web interface access but no authentication, making exploitation straightforward for attackers with network access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Not available
Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0
Restart Required: No
Instructions:
No official patch available. Monitor vendor for updates and apply immediately when released.
🔧 Temporary Workarounds
Network Isolation
allIsolate affected PLCs from untrusted networks and restrict access to management interfaces.
Access Control
allImplement strict network access controls and firewall rules to limit access to the web management interface.
🧯 If You Can't Patch
- Segment affected devices in isolated network zones with no internet access
- Implement strict firewall rules to allow only trusted IP addresses to access the web interface
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface or serial console. If version is v9.0.2, device is vulnerable.Check Version:
Check web interface system information page or use serial console commands specific to the device model.Verify Fix Applied:
Verify firmware version has been updated to a patched version when available from vendor.📡 Detection & Monitoring
Log Indicators:
- Unusual web requests to index.cgi with parameter manipulation
- Multiple failed configuration change attempts
- Unexpected system reboots or configuration changes
Network Indicators:
- Unusual traffic patterns to PLC web interface
- Requests with malformed parameters to SetLan function
- Traffic from unexpected source IPs to management interface
SIEM Query:
source_ip=* AND dest_port=80 AND uri_path="*index.cgi*" AND (http_method="POST" OR http_method="GET") AND (query_string="*SetLan*" OR post_data="*SetLan*")