CVE-2025-11783: Circutor SGE-PLC Buffer Overflow Flaw

CVE-2025-11783 Overview

CVE-2025-11783 is a stack-based buffer overflow [CWE-121] in Circutor SGE-PLC1000 and SGE-PLC50 industrial controllers running firmware version 9.0.2. The flaw resides in the AddEvent() function, which copies a user-controlled username into a fixed-size 48-byte stack buffer without performing boundary checks. An authenticated attacker on an adjacent network can corrupt stack memory and potentially achieve remote code execution on affected devices.

Critical Impact
Memory corruption in the AddEvent() function can allow remote code execution on Circutor SGE-PLC1000 and SGE-PLC50 devices running firmware 9.0.2, threatening the integrity of industrial control environments.

Affected Products

Circutor SGE-PLC1000 firmware version 9.0.2
Circutor SGE-PLC50 firmware version 9.0.2
Circutor SGE-PLC1000 and SGE-PLC50 hardware platforms

Discovery Timeline

2025-12-02 - CVE-2025-11783 published to NVD
2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-11783

Vulnerability Analysis

The vulnerability stems from unchecked memory operations in the AddEvent() function of the SGE-PLC firmware. The function accepts a username supplied by an authenticated user and copies it into a fixed 48-byte stack buffer. Because the function performs no length validation, an attacker can submit a username longer than 48 bytes and overwrite adjacent stack memory, including saved return addresses and frame pointers.

Industrial controllers like the Circutor SGE-PLC series operate inside operational technology (OT) networks where firmware updates are infrequent and exposure windows tend to be long. Exploitation does not require interaction with a user but does require valid low-privileged credentials and adjacent network access to the device's management interface.

The weakness is classified as [CWE-121] Stack-based Buffer Overflow. Successful exploitation can transition from memory corruption to control-flow hijack, enabling arbitrary code execution within the embedded process context.

Root Cause

The root cause is the absence of bounds checking when copying the username argument into the stack-allocated 48-byte buffer inside AddEvent(). The function trusts the size of attacker-controlled input rather than enforcing a hard limit through safe string functions or explicit length validation.

Attack Vector

The attack vector is adjacent network. An attacker with low-privileged credentials sends a crafted request containing an oversized username to the affected SGE-PLC management interface. The oversized value reaches AddEvent(), overflows the 48-byte buffer, and corrupts the call stack. Refer to the INCIBE Security Notice for vendor-supplied details on the affected interfaces.

Detection Methods for CVE-2025-11783

Indicators of Compromise

Unusually long username strings in authentication or event-related requests sent to the SGE-PLC management interface.
Unexpected device reboots, watchdog resets, or service crashes on SGE-PLC1000 or SGE-PLC50 controllers.
Outbound network connections from PLC management interfaces to unknown hosts after suspicious authentication activity.

Detection Strategies

Inspect HTTP and protocol-level traffic to SGE-PLC devices for request fields containing username values exceeding 48 bytes.
Correlate authentication attempts using low-privileged accounts with subsequent device unavailability or reset events.
Monitor OT segment traffic for anomalous source hosts communicating with management ports of Circutor controllers.

Monitoring Recommendations

Enable verbose logging on engineering workstations and jump hosts that administer SGE-PLC devices, then forward logs to a centralized SIEM.
Baseline normal management traffic patterns to Circutor controllers and alert on deviations in request size or frequency.
Track firmware version reporting from asset inventory tools to identify devices still running 9.0.2.

How to Mitigate CVE-2025-11783

Immediate Actions Required

Identify all Circutor SGE-PLC1000 and SGE-PLC50 devices running firmware 9.0.2 and inventory their management interfaces.
Restrict adjacent network access to management ports using firewall rules and network segmentation.
Rotate credentials for any low-privileged accounts that can authenticate to the affected devices.

Patch Information

No vendor patch link is listed in the available advisory data. Consult the INCIBE Security Notice and contact Circutor support to obtain remediation guidance and any updated firmware images for the SGE-PLC1000 and SGE-PLC50 product lines.

Workarounds

Place SGE-PLC controllers behind a dedicated OT firewall and permit management traffic only from approved engineering workstations.
Disable or restrict accounts that are not required for daily operations, reducing the population of credentials usable for exploitation.
Deploy network intrusion detection signatures that flag oversized username fields in requests destined for SGE-PLC management interfaces.

bash

# Configuration example: restrict management access to SGE-PLC devices
# Replace addresses with your engineering workstation and PLC subnets
iptables -A FORWARD -s 10.10.20.0/24 -d 10.30.40.0/24 -p tcp --dport 443 -j ACCEPT
iptables -A FORWARD -d 10.30.40.0/24 -p tcp --dport 443 -j DROP