CVE-2025-11781

High CVSS: 8.6

Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges.

Vendor

Circutor

Product

Sge-plc1000 Firmware

CWE

CWE-321

Yayın Tarihi

2025-12-02 13:15:49

Güncelleme

2025-12-03 19:10:34

Source Identifier

cve-coordination@incibe.es

KEV Date Added

Kategoriler

CWE-321 Sge-plc1000 Firmware HIGH Circutor 2025

Referanslar

https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

Benzer Kayıtlar

High

CVE-2025-11789

Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'DownloadFile' function converts a parame…

High

CVE-2025-11788

Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowSupervisorParameters()' f…

High

CVE-2025-11785

Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowMeterPasswords()' functi…

High

CVE-2025-11786

Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function,…

High

CVE-2025-11787

Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS()',…

High

CVE-2025-11782

Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'ShowDownload()' function uses “…