A Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Five years running.A Leader in the Gartner® Magic Quadrant™Read the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly ingest data from on-prem, cloud or hybrid environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Identity Security
    • Singularity Identity
      Identity Threat Detection and Response
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-class Expertise and Threat Intelligence.
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      Digital Forensics, IRR & Breach Readiness
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive solutions for seamless security operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your go-to source for our top partners in your region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-11782

CVE-2025-11782: Circutor SGE-PLC Buffer Overflow Flaw

CVE-2025-11782 is a stack-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 firmware v9.0.2 affecting the ShowDownload() function. Attackers can exploit this flaw via the meter parameter. This article covers technical details, affected versions, impact, and mitigation strategies.

Updated: January 22, 2026

CVE-2025-11782 Overview

CVE-2025-11782 is a stack-based buffer overflow vulnerability affecting Circutor SGE-PLC1000 and SGE-PLC50 programmable logic controllers running firmware version 9.0.2. The vulnerability exists in the ShowDownload() function, which uses sprintf() to format a string that includes user-controlled input from GetParameter(meter) into a fixed-size buffer acStack_4c (64 bytes) without performing proper length validation. An attacker can exploit this vulnerability by providing an excessively long value for the meter parameter that exceeds the 64-byte buffer size, leading to a stack-based buffer overflow condition.

With a CVSS 4.0 score of 8.5 (HIGH), this vulnerability poses significant risk to industrial control system environments where these PLC devices are deployed. The attack vector requires adjacent network access, making it particularly dangerous in operational technology (OT) networks where network segmentation may be insufficient.

Critical Impact

Stack-based buffer overflow in industrial PLC firmware could allow attackers to corrupt stack memory, potentially leading to arbitrary code execution, denial of service, or complete device compromise in critical infrastructure environments.

Affected Products

  • Circutor SGE-PLC1000 Firmware v9.0.2
  • Circutor SGE-PLC1000 Hardware
  • Circutor SGE-PLC50 Firmware v9.0.2
  • Circutor SGE-PLC50 Hardware

Discovery Timeline

  • 2025-12-02 - CVE-2025-11782 published to NVD
  • 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-11782

Vulnerability Analysis

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a critical memory corruption vulnerability class. The affected function ShowDownload() implements insecure string handling by utilizing sprintf(), a notoriously unsafe C library function that performs no bounds checking when writing formatted output to a destination buffer.

The vulnerable code path accepts user input through the GetParameter(meter) function call and directly incorporates this input into a format string operation targeting acStack_4c, a stack-allocated buffer with a fixed size of only 64 bytes. When an attacker supplies a meter parameter value exceeding 64 characters, the sprintf() function will write beyond the allocated buffer boundaries, corrupting adjacent stack memory.

The CVSS 4.0 vector CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H indicates:

  • Attack Vector (AV:A): Adjacent network access required
  • Attack Complexity (AC:L): Low complexity to exploit
  • Privileges Required (PR:L): Low-level privileges needed
  • User Interaction (UI:N): No user interaction required
  • High confidentiality, integrity, and availability impact on both the vulnerable system and subsequent systems

The current EPSS score of 0.06% (18.855 percentile) suggests limited active exploitation at this time.

Root Cause

The root cause of CVE-2025-11782 is the use of the unsafe sprintf() function without implementing proper bounds checking on user-supplied input. The ShowDownload() function fails to validate the length of the meter parameter retrieved via GetParameter() before passing it to the format string operation.

This represents a fundamental secure coding violation where:

  1. User input is accepted without length validation
  2. An unbounded string formatting function is used
  3. The destination buffer has a fixed, insufficient size
  4. No stack protection mechanisms appear to mitigate the overflow

Secure alternatives such as snprintf() with explicit buffer size limits, or input validation to reject oversized parameters, would have prevented this vulnerability.

Attack Vector

The attack vector for CVE-2025-11782 requires adjacent network access, meaning an attacker must be on the same network segment as the vulnerable PLC device. This is typical for industrial control systems that may be accessible via operational technology (OT) networks.

Exploitation involves sending a crafted HTTP request or web interface interaction that includes an oversized meter parameter value. The vulnerable firmware will process this request through the ShowDownload() function, triggering the buffer overflow when sprintf() attempts to write the excessive data into the 64-byte stack buffer.

The overflow can corrupt:

  • Return addresses on the stack (enabling control flow hijacking)
  • Saved frame pointers
  • Local variables of calling functions
  • Other critical stack data structures

This could result in arbitrary code execution with the privileges of the PLC firmware, denial of service through device crash, or manipulation of PLC operations.

Detection Methods for CVE-2025-11782

Indicators of Compromise

  • Abnormal HTTP requests to PLC web interfaces containing excessively long meter parameter values (greater than 64 characters)
  • Unexpected PLC device reboots or crashes indicating potential exploitation attempts
  • Network traffic from unauthorized sources targeting PLC management interfaces
  • Memory corruption errors or fault conditions logged by the PLC device
  • Unusual process behavior or memory access patterns on affected devices

Detection Strategies

Network-based detection should focus on monitoring traffic to Circutor SGE-PLC1000 and SGE-PLC50 devices for HTTP requests containing abnormally long parameter values. Deep packet inspection rules can be configured to alert on meter parameters exceeding 64 bytes in length.

SentinelOne Singularity platform provides comprehensive protection through:

  • Behavioral AI Detection: Identifies anomalous execution patterns indicative of buffer overflow exploitation
  • Memory Protection: Detects and prevents unauthorized memory access and stack corruption
  • Network Visibility: Monitors lateral movement attempts targeting industrial control systems
  • Threat Intelligence Integration: Real-time correlation with known ICS/SCADA attack patterns

Monitoring Recommendations

Organizations should implement the following monitoring controls:

  1. Network Segmentation Monitoring: Ensure PLC devices are isolated on dedicated OT networks with monitored ingress/egress points
  2. Access Logging: Enable and centralize logging for all web interface access to affected PLC devices
  3. Anomaly Detection: Configure IDS/IPS rules to detect oversized HTTP parameters targeting PLC interfaces
  4. Device Health Monitoring: Implement continuous monitoring for unexpected device reboots or operational anomalies
  5. Firmware Version Tracking: Maintain an inventory of all Circutor PLC devices and their firmware versions to identify vulnerable assets

How to Mitigate CVE-2025-11782

Immediate Actions Required

  • Identify all Circutor SGE-PLC1000 and SGE-PLC50 devices running firmware version 9.0.2 in your environment
  • Implement network segmentation to restrict adjacent network access to affected PLC devices
  • Configure firewall rules to limit access to PLC web interfaces to authorized management systems only
  • Enable logging and monitoring for all access attempts to affected devices
  • Review and restrict user accounts with access to PLC management interfaces (low privileges still enable exploitation)

Patch Information

Consult the INCIBE-CERT advisory for official patch information from Circutor: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

Organizations should:

  1. Contact Circutor directly for firmware updates addressing CVE-2025-11782
  2. Review the INCIBE-CERT advisory for additional affected products and vulnerabilities
  3. Plan firmware update deployment during scheduled maintenance windows
  4. Test updates in non-production environments before production deployment

Workarounds

Until a patch is available, organizations should implement defense-in-depth measures to reduce exploitation risk:

Network isolation remains the most effective workaround for this adjacent network attack vector. Place affected PLC devices on dedicated, isolated network segments with strict access controls. Only authorized management systems should have network connectivity to these devices.

Additionally, consider implementing:

  • Web application firewall (WAF) rules to reject HTTP requests with meter parameters exceeding safe lengths
  • Input validation at network perimeter devices
  • Enhanced monitoring and alerting for access attempts to affected devices
  • Disabling unnecessary web interface functionality if operational requirements permit

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechCircutor
  • SeverityHIGH
  • CVSS Score8.5
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-121
  • Technical References
  • Third Party Advisory
  • Related CVEs
  • CVE-2025-11789
  • CVE-2025-11788
  • CVE-2025-11787
  • CVE-2025-11786
  • CVE-2025-11785
  • CVE-2025-11784
  • CVE-2025-11783
  • CVE-2025-11781
  • CVE-2025-11780
  • CVE-2025-11779
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use