CVE-2025-11789
BaseFortify
Publication date: 2025-12-02
Last updated on: 2025-12-03
Assigner: Spanish National Cybersecurity Institute, S.A. (INCIBE)
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| circutor | sge-plc1000_firmware | 9.0.2 |
| circutor | sge-plc1000 | * |
| circutor | sge-plc50_firmware | 9.0.2 |
| circutor | sge-plc50 | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-125 | The product reads data past the end, or before the beginning, of the intended buffer. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability is an out-of-bounds read in Circutor SGE-PLC1000/SGE-PLC50 version 9.0.2. It occurs in the 'DownloadFile' function, where a parameter is converted to an integer using 'atoi()' and then used as an index to access the 'FilesDownload' array. If the parameter value is too large, it causes the program to read memory beyond the array's limits, potentially leading to unexpected behavior or information disclosure.
How can this vulnerability impact me? :
The out-of-bounds read can lead to unauthorized access to memory areas beyond the intended array, which may result in information disclosure or cause the device to behave unpredictably. This can compromise the security and reliability of the affected Circutor devices, potentially impacting the management of electricity networks that rely on these devices.
What immediate steps should I take to mitigate this vulnerability?
The affected Circutor SGE-PLC1000/SGE-PLC50 devices are discontinued since 2015 and have been replaced by newer models. It is recommended to update the firmware to version 2.0.0 or later to mitigate this and related vulnerabilities. [1]