CVE-2025-11786
Circutor · SGE-PLC1000 and SGE-PLC50
A stack-based buffer overflow in the 'SetUserPassword()' function allows unauthenticated attackers to execute arbitrary shell commands via unsanitized input.
Executive summary
A critical command injection vulnerability in Circutor SGE-PLC series devices allows unauthenticated attackers to achieve remote code execution with elevated system privileges.
Vulnerability
This vulnerability stems from improper sanitization in the 'SetUserPassword()' function, where the 'newPassword' parameter is passed to a 'sprintf()' call and subsequently executed via 'system()'. This allows an unauthenticated attacker to inject malicious shell commands.
Business impact
The exploitation of this vulnerability poses a severe risk to operational integrity, as it grants attackers full control over the affected PLC devices. With a CVSS score of 9.8, this flaw could lead to total system compromise, unauthorized data access, and the potential for malicious actors to disrupt critical industrial control processes, resulting in significant operational downtime.
Remediation
Immediate Action: Contact the vendor immediately to obtain the latest firmware update that addresses the command injection vulnerability in the 'SetUserPassword()' function.
Proactive Monitoring: Review device logs for unusual shell command execution patterns and monitor network traffic for unexpected inbound requests targeting the device's administrative functions.
Compensating Controls: Implement strict network segmentation and firewall rules to restrict access to the affected PLC management interfaces to trusted internal IP addresses only.
Exploitation status
Public Exploit Available: Unknown
Analyst recommendation
Given the critical nature of this command injection vulnerability, immediate action is required. Organizations utilizing Circutor SGE-PLC1000 or SGE-PLC50 units should isolate these devices from public-facing networks until a vendor-supplied patch is successfully applied.