CVE-2025-11779
BaseFortify
Publication date: 2025-12-02
Last updated on: 2025-12-03
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| circutor | sge-plc1000_firmware | 9.0.2 |
| circutor | sge-plc1000 | * |
| circutor | sge-plc50_firmware | 9.0.2 |
| circutor | sge-plc50 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 version 9.0.2. It occurs in the 'SetLan' function, which is triggered when a new configuration is applied via a management web request through the 'index.cgi' web application. The parameters passed to this function are not properly sanitized, which can lead to command injection, allowing an attacker to execute arbitrary commands on the device.
How can this vulnerability impact me? :
This vulnerability can allow an attacker with access to the management web interface to execute arbitrary commands on the affected device. This could lead to unauthorized control over the device, potentially disrupting its operation, compromising the network it manages, or enabling further attacks within the network.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include updating the firmware of Circutor SGE-PLC1000/SGE-PLC50 devices to version 2.0.0 or later, as the affected devices have been discontinued and replaced by newer models. This update addresses multiple vulnerabilities including stack-based buffer overflows and command injection issues. [1]