CVE-2025-11784: Circutor SGE-PLC Buffer Overflow Flaw

CVE-2025-11784 Overview

CVE-2025-11784 is a stack-based buffer overflow [CWE-121] affecting Circutor SGE-PLC1000 and SGE-PLC50 devices running firmware version 9.0.2. The flaw resides in the ShowMeterDatabase() function, which copies unbounded user-supplied input into a fixed-size stack buffer through an unsafe sprintf() call. An attacker with low privileges on an adjacent network can trigger the overflow by submitting an oversized value for the meter parameter retrieved by GetParameter(meter). Exploitation can corrupt stack memory on these industrial Power Line Communication (PLC) controllers, threatening process integrity and device availability in operational technology (OT) environments.

Critical Impact
Successful exploitation enables memory corruption on industrial PLC gateway devices, with potential for denial of service or arbitrary code execution affecting downstream metering infrastructure.

Affected Products

Circutor SGE-PLC1000 firmware version 9.0.2
Circutor SGE-PLC50 firmware version 9.0.2
Associated Circutor SGE-PLC1000 and SGE-PLC50 hardware platforms

Discovery Timeline

2025-12-02 - CVE-2025-11784 published to NVD
2025-12-03 - Last updated in NVD database

Technical Details for CVE-2025-11784

Vulnerability Analysis

The vulnerability is a classic stack-based buffer overflow in the device's web management interface logic. The ShowMeterDatabase() function constructs a string using sprintf() against a fixed-size stack buffer. Because sprintf() performs no length checking, any input larger than the destination buffer overwrites adjacent stack memory, including saved frame pointers and return addresses. The meter parameter is read directly from user-controlled input through GetParameter(meter) without sanitization or bounds enforcement. An authenticated attacker on the same network segment can send a crafted request containing an excessively long meter value to corrupt the stack. The impact extends beyond the immediate device — these Circutor controllers act as data concentrators for downstream meters, so disruption affects the integrity and availability of dependent metering services.

Root Cause

The root cause is unsafe use of the sprintf() function combined with missing input validation in GetParameter(meter). Secure alternatives such as snprintf() or explicit length checks before copying would prevent the overflow. The CWE-121 classification reflects the absence of boundary enforcement on a fixed-size stack buffer.

Attack Vector

Exploitation requires adjacent network access and low-privileged authentication to the device. The attacker submits a request to the affected endpoint with an oversized meter parameter. The malformed input flows directly into the vulnerable sprintf() operation, overflowing the stack buffer. Depending on the firmware's memory protections, the result ranges from device crash and reboot to controlled hijack of execution flow on the embedded controller.

No public proof-of-concept exploit is currently available. The vulnerability is described in the INCIBE Security Notice.

Detection Methods for CVE-2025-11784

Indicators of Compromise

Unexpected reboots, watchdog resets, or service interruptions on SGE-PLC1000 or SGE-PLC50 devices.
HTTP requests to the device management interface containing abnormally long meter parameter values.
Authentication events from unexpected internal hosts on the OT network segment hosting the PLCs.

Detection Strategies

Inspect network traffic to the affected devices for oversized query string parameters, particularly meter values exceeding typical lengths.
Correlate device availability telemetry with authenticated session activity to identify crash-triggering requests.
Apply intrusion detection signatures that flag malformed HTTP parameters directed at Circutor SGE management endpoints.

Monitoring Recommendations

Forward syslog and device health metrics from Circutor controllers to a centralized SIEM for anomaly correlation.
Monitor the OT/IT network boundary for any non-engineering workstation initiating sessions toward PLC management interfaces.
Baseline normal meter parameter value lengths and alert on outliers consistent with overflow payloads.

How to Mitigate CVE-2025-11784

Immediate Actions Required

Restrict network access to the Circutor SGE-PLC1000 and SGE-PLC50 management interfaces to a dedicated engineering VLAN.
Enforce strong, unique credentials and disable any default accounts to limit the low-privileged access required for exploitation.
Review authentication logs and recent configuration changes on affected devices for signs of probing.

Patch Information

At the time of publication, no vendor patch URL is listed in the available references. Operators should consult the INCIBE Security Notice and contact Circutor support for firmware updates superseding version 9.0.2.

Workarounds

Place the affected devices behind a firewall that blocks all inbound traffic except from authorized engineering hosts.
Disable remote management features where operationally feasible and require jump-host access for administration.
Apply network-level input filtering to drop HTTP requests with parameter lengths inconsistent with legitimate device operation.

bash

# Example ACL restricting access to PLC management interface
iptables -A INPUT -p tcp -d <PLC_IP> --dport 80 -s <ENGINEERING_SUBNET> -j ACCEPT
iptables -A INPUT -p tcp -d <PLC_IP> --dport 80 -j DROP