CVE-2025-11782
Unknown Unknown - Not Provided
BaseFortify

Publication date: 2025-12-02

Last updated on: 2025-12-03

Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)

Description
Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'ShowDownload()' function uses β€œsprintf()” to format a string that includes the user-controlled input of 'GetParameter(meter)' in the fixed-size buffer 'acStack_4c' (64 bytes) without checking the length. An attacker can provide an excessively long value for the 'meter' parameter that exceeds the 64-byte buffer size.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2025-12-02
Last Modified
2025-12-03
Generated
2026-06-16
AI Q&A
2025-12-02
EPSS Evaluated
2026-06-15
NVD
CVE-2025-11782
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
circutor sge-plc1000_firmware 9.0.2
circutor sge-plc1000 *
circutor sge-plc50_firmware 9.0.2
circutor sge-plc50 *
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-121 A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function).
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a stack-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 version 9.0.2. It occurs in the 'ShowDownload()' function, which uses sprintf() to format a string including user-controlled input from 'GetParameter(meter)' into a fixed-size 64-byte buffer without checking the input length. An attacker can exploit this by providing an excessively long 'meter' parameter value, causing the buffer to overflow and potentially leading to memory corruption.

Impact Analysis

The buffer overflow can lead to memory corruption, which may allow an attacker to execute arbitrary code, crash the device, or cause denial of service. Since the vulnerability involves user-controlled input without proper length checks, it can be exploited to compromise the affected Circutor devices, potentially disrupting electricity network management functions.

Mitigation Strategies

The affected Circutor SGE-PLC1000/SGE-PLC50 devices are discontinued since 2015 and have been replaced by newer models (Compact DC and GEDE EDC). It is recommended to update to firmware versions 2.0.0 or later to mitigate vulnerabilities in these devices. Since CVE-2025-11782 involves unsafe use of sprintf() leading to buffer overflow, applying firmware updates or replacing the device with supported models is the immediate mitigation step. [1]

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-11782. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart