CVE-2025-11784
BaseFortify
Publication date: 2025-12-02
Last updated on: 2025-12-03
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| circutor | sge-plc1000_firmware | 9.0.2 |
| circutor | sge-plc1000 | * |
| circutor | sge-plc50_firmware | 9.0.2 |
| circutor | sge-plc50 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-121 | A stack-based buffer overflow condition is a condition where the buffer being overwritten is allocated on the stack (i.e., is a local variable or, rarely, a parameter to a function). |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is a stack-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 version 9.0.2. It occurs in the 'ShowMeterDatabase()' function where user input from the 'meter' parameter is retrieved by 'GetParameter(meter)' and copied into a fixed-size buffer using 'sprintf()' without validating the input size. An attacker can exploit this by providing an excessively large input, causing memory corruption.
How can this vulnerability impact me? :
Exploiting this vulnerability can lead to memory corruption, which may allow an attacker to execute arbitrary code, crash the device, or cause denial of service. Since the vulnerability involves unsafe handling of user input, it could be leveraged to compromise the affected Circutor devices, potentially disrupting electricity network management functions.
What immediate steps should I take to mitigate this vulnerability?
The affected Circutor SGE-PLC1000/SGE-PLC50 devices are discontinued since 2015 and have been replaced by newer models (Compact DC and GEDE EDC). It is recommended to update the firmware to version 2.0.0 or later to mitigate these issues. [1]