A critical remote code execution vulnerability, identified as CVE-2025-11778, has been discovered in multiple products, including specific versions of Circutor PLCs. This flaw allows a remote, unauthenticated attacker to take complete control of an affected system by sending a specially crafted network packet, potentially leading to operational disruption, system compromise, and unauthorized access to sensitive industrial control networks.

This vulnerability is a stack-based buffer overflow within the TACACS+ authentication service. Specifically, the read_packet() function fails to properly validate the size of incoming data before copying it into a fixed-size buffer on the stack. An unauthenticated remote attacker can exploit this by sending a malicious, oversized TACACS+ packet to the affected device, causing the buffer to overflow and overwrite adjacent memory, including the function's return address. By controlling the return address, the attacker can redirect the program's execution flow to malicious code (shellcode) injected into memory, resulting in remote code execution with the privileges of the affected service.

This is a critical severity vulnerability with a CVSS score of 9.8, posing a severe risk to the organization. Successful exploitation could lead to a complete compromise of the affected devices, which include Programmable Logic Controllers (PLCs) used in Industrial Control System (ICS) environments. The potential consequences include manipulation of industrial processes, causing physical damage or operational shutdown, theft of sensitive operational data, and using the compromised device as a pivot point to launch further attacks against the internal network. The financial and reputational damage from such an attack could be substantial.

Immediate Action: The primary remediation is to apply security updates immediately. Organizations should identify all vulnerable assets and update the firmware/software of the Unknown Multiple Products to the latest version as recommended by the vendor. After patching, monitor systems for any signs of compromise that may have occurred prior to remediation and review access logs for anomalous TACACS+ connection attempts.

Proactive Monitoring: Implement enhanced network and endpoint monitoring focused on the affected devices. Security teams should monitor for unusually large or malformed packets directed at the TACACS+ service (TCP port 49), unexpected system reboots or crashes, and any unauthorized outbound connections originating from the PLCs or other affected systems. Configure network intrusion detection systems (IDS) with signatures to detect and alert on exploit attempts targeting this CVE.

Compensating Controls: If patching cannot be immediately deployed due to operational constraints, implement the following compensating controls:

• Use a firewall or network access control lists (ACLs) to strictly limit access to the TACACS+ service, ensuring only trusted administration servers can communicate with the affected devices on TCP port 49.
• If the TACACS+ service is not required for business operations, disable it entirely on vulnerable devices.
• Implement network segmentation to isolate the ICS network from the corporate IT network, reducing the risk of lateral movement.

Public Exploit Available: False

Given the critical CVSS score of 9.8 and the risk of remote code execution on sensitive industrial equipment, this vulnerability requires immediate attention. Organizations must prioritize applying the vendor-supplied patches to all affected systems. Although CVE-2025-11778 is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, its severity makes it a prime candidate for future inclusion and exploitation by threat actors. If immediate patching is not feasible, the compensating controls outlined above must be implemented without delay to reduce the attack surface and mitigate the immediate risk.