{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2025-11786", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "state": "PUBLISHED", "assignerShortName": "INCIBE", "dateReserved": "2025-10-15T12:06:16.258Z", "datePublished": "2025-12-02T13:01:37.231Z", "dateUpdated": "2025-12-02T13:36:41.564Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "product": "Circutor", "vendor": "SGE-PLC1000 SGE-PLC50", "versions": [{"status": "affected", "version": "9.0.2"}]}], "cpeApplicability": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sge-plc1000_sge-plc50:circutor:9.0.2:*:*:*:*:*:*:*", "vulnerable": true}], "negate": false, "operator": "OR"}], "operator": "OR"}], "credits": [{"lang": "en", "type": "finder", "value": "Gabriel Gonzalez and Sergio Ruiz"}], "datePublic": "2025-10-28T11:00:00.000Z", "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application."}], "value": "Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application."}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "baseScore": 8.5, "baseSeverity": "HIGH", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-12-02T13:01:39.635Z"}, "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0"}], "solutions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "The SGE-PLC100 and SGE-PLC50 units were discontinued in 2015. They were replaced by the Compact DC, which in turn became obsolete in November 2024. The current equivalent product is the GEDE EDC. The oldest version currently installed is 1.0.14, as it was the first to be compatible with the existing tariff system, while the latest version of these units is 1.2.21. Circutor recommends not extending the useful life of the SGE-PLC100 and SGE-PLC50 concentrators without keeping them updated. For both the Compact DC units (which replaced the SGE series) and the current GEDE EDC, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This approach not only mitigates the identified vulnerabilities, but also provides new functionalities derived from the evolution of DLMS, the PRIME standard, STG protocols and the REST API."}], "value": "The SGE-PLC100 and SGE-PLC50 units were discontinued in 2015. They were replaced by the Compact DC, which in turn became obsolete in November 2024. The current equivalent product is the GEDE EDC. The oldest version currently installed is 1.0.14, as it was the first to be compatible with the existing tariff system, while the latest version of these units is 1.2.21. Circutor recommends not extending the useful life of the SGE-PLC100 and SGE-PLC50 concentrators without keeping them updated. For both the Compact DC units (which replaced the SGE series) and the current GEDE EDC, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This approach not only mitigates the identified vulnerabilities, but also provides new functionalities derived from the evolution of DLMS, the PRIME standard, STG protocols and the REST API."}], "source": {"discovery": "EXTERNAL"}, "tags": ["unsupported-when-assigned"], "title": "Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2025-12-02T13:36:34.960174Z", "id": "CVE-2025-11786", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T13:36:41.564Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2025-11786", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2025-12-02T13:36:34.960174Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2025-12-02T13:36:38.157Z"}}], "cna": {"tags": ["unsupported-when-assigned"], "title": "Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50", "source": {"discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "finder", "value": "Gabriel Gonzalez and Sergio Ruiz"}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 8.5, "Automatable": "NOT_DEFINED", "attackVector": "ADJACENT", "baseSeverity": "HIGH", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "NONE", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "subIntegrityImpact": "LOW", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"vendor": "SGE-PLC1000 SGE-PLC50", "product": "Circutor", "versions": [{"status": "affected", "version": "9.0.2"}], "defaultStatus": "unaffected"}], "solutions": [{"lang": "en", "value": "The SGE-PLC100 and SGE-PLC50 units were discontinued in 2015. They were replaced by the Compact DC, which in turn became obsolete in November 2024. The current equivalent product is the GEDE EDC. The oldest version currently installed is 1.0.14, as it was the first to be compatible with the existing tariff system, while the latest version of these units is 1.2.21. Circutor recommends not extending the useful life of the SGE-PLC100 and SGE-PLC50 concentrators without keeping them updated. For both the Compact DC units (which replaced the SGE series) and the current GEDE EDC, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This approach not only mitigates the identified vulnerabilities, but also provides new functionalities derived from the evolution of DLMS, the PRIME standard, STG protocols and the REST API.", "supportingMedia": [{"type": "text/html", "value": "The SGE-PLC100 and SGE-PLC50 units were discontinued in 2015. They were replaced by the Compact DC, which in turn became obsolete in November 2024. The current equivalent product is the GEDE EDC. The oldest version currently installed is 1.0.14, as it was the first to be compatible with the existing tariff system, while the latest version of these units is 1.2.21. Circutor recommends not extending the useful life of the SGE-PLC100 and SGE-PLC50 concentrators without keeping them updated. For both the Compact DC units (which replaced the SGE series) and the current GEDE EDC, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This approach not only mitigates the identified vulnerabilities, but also provides new functionalities derived from the evolution of DLMS, the PRIME standard, STG protocols and the REST API.", "base64": false}]}], "datePublic": "2025-10-28T11:00:00.000Z", "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application.", "supportingMedia": [{"type": "text/html", "value": "Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-121", "description": "CWE-121: Stack-based Buffer Overflow"}]}], "cpeApplicability": [{"nodes": [{"negate": false, "cpeMatch": [{"criteria": "cpe:2.3:a:sge-plc1000_sge-plc50:circutor:9.0.2:*:*:*:*:*:*:*", "vulnerable": true}], "operator": "OR"}], "operator": "OR"}], "providerMetadata": {"orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "shortName": "INCIBE", "dateUpdated": "2025-12-02T13:01:39.635Z"}}}, "cveMetadata": {"cveId": "CVE-2025-11786", "state": "PUBLISHED", "dateUpdated": "2025-12-02T13:36:41.564Z", "dateReserved": "2025-10-15T12:06:16.258Z", "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516", "datePublished": "2025-12-02T13:01:37.231Z", "assignerShortName": "INCIBE"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:circutor:sge-plc1000_firmware:9.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "3FC715A9-6F95-4795-B3B1-1BFAF88ACCE9", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FFF41215-1018-42DD-9A7E-BBC2E5B4522D", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}, {"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:o:circutor:sge-plc50_firmware:9.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "203C8B5E-582A-4680-B324-B9092F01462B", "vulnerable": true}], "negate": false, "operator": "OR"}, {"cpeMatch": [{"criteria": "cpe:2.3:h:circutor:sge-plc50:-:*:*:*:*:*:*:*", "matchCriteriaId": "447D1571-5329-422D-8E31-F4964E412FC3", "vulnerable": false}], "negate": false, "operator": "OR"}], "operator": "AND"}], "cveTags": [{"sourceIdentifier": "cve-coordination@incibe.es", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application."}], "id": "CVE-2025-11786", "lastModified": "2025-12-03T19:13:02.350", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 9.8, "baseSeverity": "CRITICAL", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}], "cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "LOW", "attackRequirements": "NONE", "attackVector": "ADJACENT", "availabilityRequirement": "NOT_DEFINED", "baseScore": 8.5, "baseSeverity": "HIGH", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "LOW", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "LOW", "userInteraction": "NONE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "HIGH", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "cve-coordination@incibe.es", "type": "Secondary"}]}, "published": "2025-12-02T13:15:50.493", "references": [{"source": "cve-coordination@incibe.es", "tags": ["Third Party Advisory"], "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0"}], "sourceIdentifier": "cve-coordination@incibe.es", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-121"}], "source": "cve-coordination@incibe.es", "type": "Primary"}]}

{}