A Leader in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms. Five years running.A Leader in the Gartner® Magic Quadrant™Read the Report
Experiencing a Breach?Blog
Get StartedContact Us
SentinelOne
  • Platform
    Platform Overview
    • Singularity Platform
      Welcome to Integrated Enterprise Security
    • AI Security Portfolio
      Leading the Way in AI-Powered Security Solutions
    • How It Works
      The Singularity XDR Difference
    • Singularity Marketplace
      One-Click Integrations to Unlock the Power of XDR
    • Pricing & Packaging
      Comparisons and Guidance at a Glance
    Data & AI
    • Purple AI
      Accelerate SecOps with Generative AI
    • Singularity Hyperautomation
      Easily Automate Security Processes
    • AI-SIEM
      The AI SIEM for the Autonomous SOC
    • Singularity Data Lake
      AI-Powered, Unified Data Lake
    • Singularity Data Lake for Log Analytics
      Seamlessly ingest data from on-prem, cloud or hybrid environments
    Endpoint Security
    • Singularity Endpoint
      Autonomous Prevention, Detection, and Response
    • Singularity XDR
      Native & Open Protection, Detection, and Response
    • Singularity RemoteOps Forensics
      Orchestrate Forensics at Scale
    • Singularity Threat Intelligence
      Comprehensive Adversary Intelligence
    • Singularity Vulnerability Management
      Application & OS Vulnerability Management
    Cloud Security
    • Singularity Cloud Security
      Block Attacks with an AI-powered CNAPP
    • Singularity Cloud Native Security
      Secure Cloud and Development Resources
    • Singularity Cloud Workload Security
      Real-Time Cloud Workload Protection Platform
    • Singularity Cloud Data Security
      AI-Powered Threat Detection for Cloud Storage
    • Singularity Cloud Security Posture Management
      Detect and Remediate Cloud Misconfigurations
    Identity Security
    • Singularity Identity
      Identity Threat Detection and Response
  • Why SentinelOne?
    Why SentinelOne?
    • Why SentinelOne?
      Cybersecurity Built for What’s Next
    • Our Customers
      Trusted by the World’s Leading Enterprises
    • Industry Recognition
      Tested and Proven by the Experts
    • About Us
      The Industry Leader in Autonomous Cybersecurity
    Compare SentinelOne
    • Arctic Wolf
    • Broadcom
    • CrowdStrike
    • Cybereason
    • Microsoft
    • Palo Alto Networks
    • Sophos
    • Splunk
    • Trellix
    • Trend Micro
    • Wiz
    Verticals
    • Energy
    • Federal Government
    • Finance
    • Healthcare
    • Higher Education
    • K-12 Education
    • Manufacturing
    • Retail
    • State and Local Government
  • Services
    Managed Services
    • Managed Services Overview
      Wayfinder Threat Detection & Response
    • Threat Hunting
      World-class Expertise and Threat Intelligence.
    • Managed Detection & Response
      24/7/365 Expert MDR Across Your Entire Environment
    • Incident Readiness & Response
      Digital Forensics, IRR & Breach Readiness
    Support, Deployment, & Health
    • Technical Account Management
      Customer Success with Personalized Service
    • SentinelOne GO
      Guided Onboarding & Deployment Advisory
    • SentinelOne University
      Live and On-Demand Training
    • Services Overview
      Comprehensive solutions for seamless security operations
    • SentinelOne Community
      Community Login
  • Partners
    Our Network
    • MSSP Partners
      Succeed Faster with SentinelOne
    • Singularity Marketplace
      Extend the Power of S1 Technology
    • Cyber Risk Partners
      Enlist Pro Response and Advisory Teams
    • Technology Alliances
      Integrated, Enterprise-Scale Solutions
    • SentinelOne for AWS
      Hosted in AWS Regions Around the World
    • Channel Partners
      Deliver the Right Solutions, Together
    • Partner Locator
      Your go-to source for our top partners in your region
    Partner Portal→
  • Resources
    Resource Center
    • Case Studies
    • Data Sheets
    • eBooks
    • Reports
    • Videos
    • Webinars
    • Whitepapers
    • Events
    View All Resources→
    Blog
    • Feature Spotlight
    • For CISO/CIO
    • From the Front Lines
    • Identity
    • Cloud
    • macOS
    • SentinelOne Blog
    Blog→
    Tech Resources
    • SentinelLABS
    • Ransomware Anthology
    • Cybersecurity 101
  • About
    About SentinelOne
    • About SentinelOne
      The Industry Leader in Cybersecurity
    • Investor Relations
      Financial Information & Events
    • SentinelLABS
      Threat Research for the Modern Threat Hunter
    • Careers
      The Latest Job Opportunities
    • Press & News
      Company Announcements
    • Cybersecurity Blog
      The Latest Cybersecurity Threats, News, & More
    • FAQ
      Get Answers to Our Most Frequently Asked Questions
    • DataSet
      The Live Data Platform
    • S Foundation
      Securing a Safer Future for All
    • S Ventures
      Investing in the Next Generation of Security, Data and AI
  • Pricing
Get StartedContact Us
CVE Vulnerability Database
Vulnerability Database/CVE-2025-11784

CVE-2025-11784: Circutor SGE-PLC Buffer Overflow Flaw

CVE-2025-11784 is a stack-based buffer overflow in Circutor SGE-PLC1000/SGE-PLC50 firmware v9.0.2 that allows attackers to exploit unchecked input in the ShowMeterDatabase function. This article covers technical details, impact, and mitigation.

Updated: January 22, 2026

CVE-2025-11784 Overview

CVE-2025-11784 is a stack-based buffer overflow vulnerability affecting Circutor SGE-PLC1000 and SGE-PLC50 programmable logic controllers running firmware version 9.0.2. The vulnerability exists in the ShowMeterDatabase() function, where unlimited user input is copied to a fixed-size buffer via sprintf(). The GetParameter(meter) function retrieves user input that is directly incorporated into a buffer without proper size validation, allowing an attacker to provide an excessively large input for the meter parameter.

This vulnerability is classified as CWE-121 (Stack-based Buffer Overflow), a critical memory corruption flaw that can lead to arbitrary code execution, system compromise, or denial of service in industrial control systems.

Critical Impact

Adjacent network attackers with low privileges can exploit this stack-based buffer overflow to potentially achieve code execution, compromise confidentiality, and cause significant disruption to industrial control operations. The CVSS 4.0 score of 8.5 (HIGH) reflects the serious nature of this vulnerability in industrial environments.

Affected Products

  • Circutor SGE-PLC1000 Firmware version 9.0.2
  • Circutor SGE-PLC1000 Hardware
  • Circutor SGE-PLC50 Firmware version 9.0.2
  • Circutor SGE-PLC50 Hardware

Discovery Timeline

  • 2025-12-02 - CVE-2025-11784 published to NVD
  • 2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-11784

Vulnerability Analysis

The vulnerability resides in the ShowMeterDatabase() function within the Circutor SGE-PLC firmware. This function processes meter-related database queries and accepts user-supplied input through the meter parameter. The critical flaw occurs when this user input is retrieved via the GetParameter(meter) function and subsequently passed to sprintf() for buffer construction.

The use of sprintf() without bounds checking is a classic memory safety issue. The function copies the entire user-supplied string into a fixed-size stack buffer regardless of input length. When an attacker provides input exceeding the buffer's allocated size, the overflow corrupts adjacent stack memory, potentially overwriting critical data structures including the function's return address.

With a CVSS 4.0 vector of CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H, this vulnerability requires adjacent network access and low privileges but no user interaction, making it exploitable in typical industrial network configurations where PLCs are connected to operational technology (OT) networks.

Root Cause

The root cause is improper input validation and the use of unsafe string handling functions. The GetParameter(meter) function returns user-controlled data that flows directly into sprintf() without any length checking or truncation. The destination buffer has a fixed size allocated on the stack, but the source data has no upper bound restriction.

This represents a fundamental violation of secure coding practices for C/C++ applications, particularly critical in embedded systems and industrial controllers where memory safety directly impacts operational safety.

Attack Vector

The attack vector is classified as Adjacent Network (AV:A), meaning an attacker must have access to the same network segment as the vulnerable PLC. In industrial environments, this typically means access to the operational technology (OT) network or control system network where these PLCs are deployed.

An attacker can craft a malicious HTTP request or protocol message containing an oversized meter parameter value. When the ShowMeterDatabase() function processes this request, the overflow occurs, potentially allowing the attacker to:

  1. Overwrite the return address to redirect execution to attacker-controlled code
  2. Corrupt local variables to manipulate program logic
  3. Cause a denial of service by crashing the PLC application
  4. Achieve remote code execution on the embedded device

The attack complexity is low (AC:L) and requires no user interaction (UI:N), with low privilege requirements (PR:L), making exploitation relatively straightforward once network access is obtained.

Detection Methods for CVE-2025-11784

Indicators of Compromise

  • Abnormally large HTTP requests or protocol messages targeting meter database functions on affected PLCs
  • Unexpected crashes or reboots of Circutor SGE-PLC1000 or SGE-PLC50 devices
  • Anomalous network traffic patterns to/from PLC devices on ports used for web management interfaces
  • Memory access violations or segmentation faults in PLC application logs
  • Unusual parameter values in requests to database query endpoints

Detection Strategies

Network-based detection should focus on monitoring traffic to Circutor PLCs for requests containing abnormally long parameter values, particularly in the meter parameter field. Deep packet inspection rules can identify requests with parameter lengths exceeding expected thresholds.

Host-based detection on network security appliances should monitor for buffer overflow exploitation patterns characteristic of stack-based attacks. SentinelOne's Singularity platform provides behavioral detection capabilities that can identify memory corruption exploitation attempts, including stack buffer overflow attacks against industrial control systems.

Implement network segmentation monitoring to detect unauthorized access attempts to OT network segments where these PLCs are deployed. Any traffic from IT networks or untrusted sources targeting PLC management interfaces should trigger security alerts.

Monitoring Recommendations

Deploy network monitoring solutions at the boundary between IT and OT networks to detect and alert on potential exploitation attempts. Enable verbose logging on any web application firewalls or intrusion detection systems monitoring traffic to affected devices.

Implement asset inventory and vulnerability scanning to identify all Circutor SGE-PLC1000 and SGE-PLC50 devices running vulnerable firmware version 9.0.2. Regularly audit network access controls to ensure only authorized personnel can reach PLC management interfaces.

The current EPSS score of 0.063% (19.6th percentile) indicates relatively low probability of exploitation in the wild, but this should not diminish the urgency of remediation given the critical nature of industrial control systems.

How to Mitigate CVE-2025-11784

Immediate Actions Required

  • Identify all Circutor SGE-PLC1000 and SGE-PLC50 devices in your environment running firmware version 9.0.2
  • Restrict network access to affected PLCs to authorized personnel and systems only
  • Implement network segmentation to isolate vulnerable devices from untrusted network segments
  • Enable enhanced logging and monitoring on network paths to affected devices
  • Review and restrict user accounts with access to PLC management interfaces
  • Deploy intrusion detection/prevention rules to detect exploitation attempts

Patch Information

Consult the INCIBE-CERT security advisory for official patch information and remediation guidance from Circutor. The advisory is available at the reference URL provided in the vulnerability disclosure. Contact Circutor directly for firmware updates that address this stack-based buffer overflow vulnerability.

Until a patch is available, implement compensating controls including network isolation, access restrictions, and enhanced monitoring to reduce exploitation risk.

Workarounds

In the absence of an official patch, implement the following compensating controls:

Network Isolation: Place affected PLCs on isolated network segments with strict access control lists (ACLs) limiting connectivity to only essential management stations and control systems.

Access Control: Restrict access to PLC management interfaces by implementing strong authentication and limiting user accounts with access to these devices. Disable unnecessary network services and protocols.

Web Application Firewall: If the vulnerable endpoint is web-accessible, deploy a WAF with rules to limit parameter lengths and block requests with abnormally long input values.

Monitoring: Implement continuous monitoring of network traffic to affected devices and establish alerting for any suspicious activity patterns.

For detailed mitigation guidance, refer to the INCIBE-CERT advisory: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

  • Vulnerability Details
  • TypeBuffer Overflow
  • Vendor/TechCircutor Sge Plc1000
  • SeverityHIGH
  • CVSS Score8.5
  • EPSS Probability0.06%
  • Known ExploitedNo
  • CVSS Vector
  • CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
  • Impact Assessment
  • ConfidentialityLow
  • IntegrityNone
  • AvailabilityHigh
  • CWE References
  • CWE-121
  • Technical References
  • Third Party Advisory
  • Related CVEs
  • CVE-2025-11789
  • CVE-2025-11788
  • CVE-2025-11787
  • CVE-2025-11786
  • CVE-2025-11785
  • CVE-2025-11783
  • CVE-2025-11782
  • CVE-2025-11781
  • CVE-2025-11780
  • CVE-2025-11779
Experience the World’s Most Advanced Cybersecurity Platform

Experience the World’s Most Advanced Cybersecurity Platform

See how our intelligent, autonomous cybersecurity platform can protect your organization now and into the future.

Try SentinelOne
  • Get Started
  • Get a Demo
  • Product Tour
  • Why SentinelOne
  • Pricing & Packaging
  • FAQ
  • Contact
  • Contact Us
  • Customer Support
  • SentinelOne Status
  • Language
  • English
  • Platform
  • Singularity Platform
  • Singularity Endpoint
  • Singularity Cloud
  • Singularity AI-SIEM
  • Singularity Identity
  • Singularity Marketplace
  • Purple AI
  • Services
  • Wayfinder TDR
  • SentinelOne GO
  • Technical Account Management
  • Support Services
  • Verticals
  • Energy
  • Federal Government
  • Finance
  • Healthcare
  • Higher Education
  • K-12 Education
  • Manufacturing
  • Retail
  • State and Local Government
  • Cybersecurity for SMB
  • Resources
  • Blog
  • Labs
  • Case Studies
  • Videos
  • Product Tours
  • Events
  • Cybersecurity 101
  • eBooks
  • Webinars
  • Whitepapers
  • Press
  • News
  • Ransomware Anthology
  • Company
  • About Us
  • Our Customers
  • Careers
  • Partners
  • Legal & Compliance
  • Security & Compliance
  • Investor Relations
  • S Foundation
  • S Ventures

©2026 SentinelOne, All Rights Reserved.

Privacy Notice Terms of Use