Login Sign Up

CVE-2025-11786

9.8 CRITICAL
Remote Code Execution Buffer Overflow

📋 TL;DR

This CVE describes a critical stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 devices. An attacker can inject arbitrary shell commands through the password change function, leading to remote code execution with application privileges. Organizations using these specific PLC devices are affected.

💻 Affected Systems

Products:
  • Circutor SGE-PLC1000
  • Circutor SGE-PLC50
Versions: v9.0.2
Operating Systems: Embedded Linux
Default Config Vulnerable: ⚠️ Yes
Notes: Vulnerability exists in default configuration when password change functionality is accessible.

📦 What is this software?

Sge Plc1000 Firmware by Circutor

View all CVEs affecting Sge Plc1000 Firmware →

Sge Plc50 Firmware by Circutor

View all CVEs affecting Sge Plc50 Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Full system compromise allowing attacker to execute arbitrary commands, install malware, pivot to other network systems, or disrupt industrial operations.

🟠

Likely Case

Remote code execution leading to data theft, system manipulation, or denial of service affecting PLC-controlled processes.

🟢

If Mitigated

Limited impact if devices are isolated in segmented networks with strict access controls and command execution restrictions.

🌐 Internet-Facing: HIGH
🏢 Internal Only: HIGH

🎯 Exploit Status

Public PoC: ✅ No
Weaponized: LIKELY
Unauthenticated Exploit: ✅ No
Complexity: LOW

Exploitation requires access to password change functionality but no authentication bypass needed. Buffer overflow leads directly to command injection.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not available

Vendor Advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

Restart Required: No

Instructions:

No official patch available. Monitor vendor for updates and apply immediately when released.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate affected PLC devices in separate network segments with strict firewall rules.

Access Control Restrictions

all

Restrict network access to PLC management interfaces to authorized IP addresses only.

🧯 If You Can't Patch

  • Implement strict network segmentation to isolate PLC devices from general network traffic
  • Disable remote management interfaces if not absolutely required for operations

🔍 How to Verify

Check if Vulnerable:

Check device version via web interface or SSH if accessible. Version 9.0.2 is vulnerable.

Check Version:

Check via web interface at http://<device_ip>/status or SSH if enabled

Verify Fix Applied:

Verify device version has been updated beyond 9.0.2 when patch becomes available.

📡 Detection & Monitoring

Log Indicators:

  • Unusual password change attempts
  • Unexpected shell command execution in system logs
  • Multiple failed authentication attempts

Network Indicators:

  • Unusual traffic to PLC management ports
  • Command injection patterns in HTTP requests to password change endpoints

SIEM Query:

source="plc_logs" AND (event="password_change" OR event="system_command") AND status="success"

📊 Metadata

CVE ID: CVE-2025-11786
CVSS v3 Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CWE: CWE-121
EPSS Score: 0.07% exploit probability (22th percentile)
Published: December 2, 2025
Last Updated: December 3, 2025

🔗 References

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-11786, you might also want to check these:

CVE-2024-39791 10.0

CVE-2024-39791 is a critical stack-based buffer overflow vulnerability in Vonets industrial WiFi bri...

Same vulnerability type (CWE-121)
CVE-2022-20699 10.0

This critical vulnerability in Cisco Small Business routers allows unauthenticated remote attackers ...

Same vulnerability type (CWE-121)
CVE-2022-20701 10.0

This CVE describes multiple critical vulnerabilities in Cisco Small Business RV series routers that ...

Same vulnerability type (CWE-121)