CVE-2025-11788 (GCVE-0-2025-11788)

Vulnerability from cvelistv5 – Published: 2025-12-02 13:03 – Updated: 2025-12-02 13:31
VLAI?
Summary
Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'ShowSupervisorParameters()' function, there is an unlimited user input that is copied to a fixed-size buffer via 'sprintf()'. The 'GetParameter(meter)' function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the 'meter' parameter.
Severity ?
8.5 (High)
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H
CWE
  • CWE-122 - Heap-based Buffer Overflow
Assigner
References
Impacted products
Vendor Product Version
SGE-PLC1000 SGE-PLC50 Circutor Affected: 9.0.2
Create a notification for this product.
Credits
Gabriel Gonzalez and Sergio Ruiz
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2025-11788",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2025-12-02T13:30:50.053898Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2025-12-02T13:31:08.915Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Circutor",
          "vendor": "SGE-PLC1000 SGE-PLC50",
          "versions": [
            {
              "status": "affected",
              "version": "9.0.2"
            }
          ]
        }
      ],
      "cpeApplicability": [
        {
          "nodes": [
            {
              "cpeMatch": [
                {
                  "criteria": "cpe:2.3:a:sge-plc1000_sge-plc50:circutor:9.0.2:*:*:*:*:*:*:*",
                  "vulnerable": true
                }
              ],
              "negate": false,
              "operator": "OR"
            }
          ],
          "operator": "OR"
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Gabriel Gonzalez and Sergio Ruiz"
        }
      ],
      "datePublic": "2025-10-28T11:00:00.000Z",
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the \u0027ShowSupervisorParameters()\u0027 function, there is an unlimited user input that is copied to a fixed-size buffer via \u0027sprintf()\u0027. The \u0027GetParameter(meter)\u0027 function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the \u0027meter\u0027 parameter."
            }
          ],
          "value": "Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the \u0027ShowSupervisorParameters()\u0027 function, there is an unlimited user input that is copied to a fixed-size buffer via \u0027sprintf()\u0027. The \u0027GetParameter(meter)\u0027 function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the \u0027meter\u0027 parameter."
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "NOT_DEFINED",
            "Recovery": "NOT_DEFINED",
            "Safety": "NOT_DEFINED",
            "attackComplexity": "LOW",
            "attackRequirements": "NONE",
            "attackVector": "NETWORK",
            "baseScore": 8.5,
            "baseSeverity": "HIGH",
            "exploitMaturity": "NOT_DEFINED",
            "privilegesRequired": "LOW",
            "providerUrgency": "NOT_DEFINED",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "NONE",
            "userInteraction": "NONE",
            "valueDensity": "NOT_DEFINED",
            "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "NONE",
            "vulnerabilityResponseEffort": "NOT_DEFINED"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-122",
              "description": "CWE-122 Heap-based Buffer Overflow",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2025-12-02T13:03:32.925Z",
        "orgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
        "shortName": "INCIBE"
      },
      "references": [
        {
          "url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0"
        }
      ],
      "solutions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "The SGE-PLC100 and SGE-PLC50 units were discontinued in 2015. They were replaced by the Compact DC, which in turn became obsolete in November 2024. The current equivalent product is the GEDE EDC. The oldest version currently installed is 1.0.14, as it was the first to be compatible with the existing tariff system, while the latest version of these units is 1.2.21. Circutor recommends not extending the useful life of the SGE-PLC100 and SGE-PLC50 concentrators without keeping them updated. For both the Compact DC units (which replaced the SGE series) and the current GEDE EDC, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This approach not only mitigates the identified vulnerabilities, but also provides new functionalities derived from the evolution of DLMS, the PRIME standard, STG protocols and the REST API."
            }
          ],
          "value": "The SGE-PLC100 and SGE-PLC50 units were discontinued in 2015. They were replaced by the Compact DC, which in turn became obsolete in November 2024. The current equivalent product is the GEDE EDC. The oldest version currently installed is 1.0.14, as it was the first to be compatible with the existing tariff system, while the latest version of these units is 1.2.21. Circutor recommends not extending the useful life of the SGE-PLC100 and SGE-PLC50 concentrators without keeping them updated. For both the Compact DC units (which replaced the SGE series) and the current GEDE EDC, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This approach not only mitigates the identified vulnerabilities, but also provides new functionalities derived from the evolution of DLMS, the PRIME standard, STG protocols and the REST API."
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "unsupported-when-assigned"
      ],
      "title": "Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50",
      "x_generator": {
        "engine": "Vulnogram 0.5.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "0cbda920-cd7f-484a-8e76-bf7f4b7f4516",
    "assignerShortName": "INCIBE",
    "cveId": "CVE-2025-11788",
    "datePublished": "2025-12-02T13:03:32.925Z",
    "dateReserved": "2025-10-15T12:06:18.604Z",
    "dateUpdated": "2025-12-02T13:31:08.915Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2025-11788\",\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"published\":\"2025-12-02T13:15:51.027\",\"lastModified\":\"2025-12-03T19:19:01.820\",\"vulnStatus\":\"Analyzed\",\"cveTags\":[{\"sourceIdentifier\":\"cve-coordination@incibe.es\",\"tags\":[\"unsupported-when-assigned\"]}],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the \u0027ShowSupervisorParameters()\u0027 function, there is an unlimited user input that is copied to a fixed-size buffer via \u0027sprintf()\u0027. The \u0027GetParameter(meter)\u0027 function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the \u0027meter\u0027 parameter.\"}],\"metrics\":{\"cvssMetricV40\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"4.0\",\"vectorString\":\"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X\",\"baseScore\":8.5,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"attackRequirements\":\"NONE\",\"privilegesRequired\":\"LOW\",\"userInteraction\":\"NONE\",\"vulnConfidentialityImpact\":\"HIGH\",\"vulnIntegrityImpact\":\"NONE\",\"vulnAvailabilityImpact\":\"HIGH\",\"subConfidentialityImpact\":\"HIGH\",\"subIntegrityImpact\":\"NONE\",\"subAvailabilityImpact\":\"HIGH\",\"exploitMaturity\":\"NOT_DEFINED\",\"confidentialityRequirement\":\"NOT_DEFINED\",\"integrityRequirement\":\"NOT_DEFINED\",\"availabilityRequirement\":\"NOT_DEFINED\",\"modifiedAttackVector\":\"NOT_DEFINED\",\"modifiedAttackComplexity\":\"NOT_DEFINED\",\"modifiedAttackRequirements\":\"NOT_DEFINED\",\"modifiedPrivilegesRequired\":\"NOT_DEFINED\",\"modifiedUserInteraction\":\"NOT_DEFINED\",\"modifiedVulnConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedVulnIntegrityImpact\":\"NOT_DEFINED\",\"modifiedVulnAvailabilityImpact\":\"NOT_DEFINED\",\"modifiedSubConfidentialityImpact\":\"NOT_DEFINED\",\"modifiedSubIntegrityImpact\":\"NOT_DEFINED\",\"modifiedSubAvailabilityImpact\":\"NOT_DEFINED\",\"Safety\":\"NOT_DEFINED\",\"Automatable\":\"NOT_DEFINED\",\"Recovery\":\"NOT_DEFINED\",\"valueDensity\":\"NOT_DEFINED\",\"vulnerabilityResponseEffort\":\"NOT_DEFINED\",\"providerUrgency\":\"NOT_DEFINED\"}}],\"cvssMetricV31\":[{\"source\":\"nvd@nist.gov\",\"type\":\"Primary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H\",\"baseScore\":9.8,\"baseSeverity\":\"CRITICAL\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"HIGH\",\"availabilityImpact\":\"HIGH\"},\"exploitabilityScore\":3.9,\"impactScore\":5.9}]},\"weaknesses\":[{\"source\":\"cve-coordination@incibe.es\",\"type\":\"Primary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-122\"}]}],\"configurations\":[{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:circutor:sge-plc1000_firmware:9.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"3FC715A9-6F95-4795-B3B1-1BFAF88ACCE9\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"FFF41215-1018-42DD-9A7E-BBC2E5B4522D\"}]}]},{\"operator\":\"AND\",\"nodes\":[{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":true,\"criteria\":\"cpe:2.3:o:circutor:sge-plc50_firmware:9.0.2:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"203C8B5E-582A-4680-B324-B9092F01462B\"}]},{\"operator\":\"OR\",\"negate\":false,\"cpeMatch\":[{\"vulnerable\":false,\"criteria\":\"cpe:2.3:h:circutor:sge-plc50:-:*:*:*:*:*:*:*\",\"matchCriteriaId\":\"447D1571-5329-422D-8E31-F4964E412FC3\"}]}]}],\"references\":[{\"url\":\"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0\",\"source\":\"cve-coordination@incibe.es\",\"tags\":[\"Third Party Advisory\"]}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2025-11788\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"total\"}], \"version\": \"2.0.3\", \"timestamp\": \"2025-12-02T13:30:50.053898Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2025-12-02T13:31:05.944Z\"}}], \"cna\": {\"tags\": [\"unsupported-when-assigned\"], \"title\": \"Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50\", \"source\": {\"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"Gabriel Gonzalez and Sergio Ruiz\"}], \"metrics\": [{\"format\": \"CVSS\", \"cvssV4_0\": {\"Safety\": \"NOT_DEFINED\", \"version\": \"4.0\", \"Recovery\": \"NOT_DEFINED\", \"baseScore\": 8.5, \"Automatable\": \"NOT_DEFINED\", \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"valueDensity\": \"NOT_DEFINED\", \"vectorString\": \"CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:H/SC:H/SI:N/SA:H\", \"exploitMaturity\": \"NOT_DEFINED\", \"providerUrgency\": \"NOT_DEFINED\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"attackRequirements\": \"NONE\", \"privilegesRequired\": \"LOW\", \"subIntegrityImpact\": \"NONE\", \"vulnIntegrityImpact\": \"NONE\", \"subAvailabilityImpact\": \"HIGH\", \"vulnAvailabilityImpact\": \"HIGH\", \"subConfidentialityImpact\": \"HIGH\", \"vulnConfidentialityImpact\": \"HIGH\", \"vulnerabilityResponseEffort\": \"NOT_DEFINED\"}, \"scenarios\": [{\"lang\": \"en\", \"value\": \"GENERAL\"}]}], \"affected\": [{\"vendor\": \"SGE-PLC1000 SGE-PLC50\", \"product\": \"Circutor\", \"versions\": [{\"status\": \"affected\", \"version\": \"9.0.2\"}], \"defaultStatus\": \"unaffected\"}], \"solutions\": [{\"lang\": \"en\", \"value\": \"The SGE-PLC100 and SGE-PLC50 units were discontinued in 2015. They were replaced by the Compact DC, which in turn became obsolete in November 2024. The current equivalent product is the GEDE EDC. The oldest version currently installed is 1.0.14, as it was the first to be compatible with the existing tariff system, while the latest version of these units is 1.2.21. Circutor recommends not extending the useful life of the SGE-PLC100 and SGE-PLC50 concentrators without keeping them updated. For both the Compact DC units (which replaced the SGE series) and the current GEDE EDC, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This approach not only mitigates the identified vulnerabilities, but also provides new functionalities derived from the evolution of DLMS, the PRIME standard, STG protocols and the REST API.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"The SGE-PLC100 and SGE-PLC50 units were discontinued in 2015. They were replaced by the Compact DC, which in turn became obsolete in November 2024. The current equivalent product is the GEDE EDC. The oldest version currently installed is 1.0.14, as it was the first to be compatible with the existing tariff system, while the latest version of these units is 1.2.21. Circutor recommends not extending the useful life of the SGE-PLC100 and SGE-PLC50 concentrators without keeping them updated. For both the Compact DC units (which replaced the SGE series) and the current GEDE EDC, it is recommended to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. This approach not only mitigates the identified vulnerabilities, but also provides new functionalities derived from the evolution of DLMS, the PRIME standard, STG protocols and the REST API.\", \"base64\": false}]}], \"datePublic\": \"2025-10-28T11:00:00.000Z\", \"references\": [{\"url\": \"https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0\"}], \"x_generator\": {\"engine\": \"Vulnogram 0.5.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the \u0027ShowSupervisorParameters()\u0027 function, there is an unlimited user input that is copied to a fixed-size buffer via \u0027sprintf()\u0027. The \u0027GetParameter(meter)\u0027 function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the \u0027meter\u0027 parameter.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Heap-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the \u0027ShowSupervisorParameters()\u0027 function, there is an unlimited user input that is copied to a fixed-size buffer via \u0027sprintf()\u0027. The \u0027GetParameter(meter)\u0027 function retrieves the user input, which is directly incorporated into a buffer without size validation. An attacker can provide an excessively large input for the \u0027meter\u0027 parameter.\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-122\", \"description\": \"CWE-122 Heap-based Buffer Overflow\"}]}], \"cpeApplicability\": [{\"nodes\": [{\"negate\": false, \"cpeMatch\": [{\"criteria\": \"cpe:2.3:a:sge-plc1000_sge-plc50:circutor:9.0.2:*:*:*:*:*:*:*\", \"vulnerable\": true}], \"operator\": \"OR\"}], \"operator\": \"OR\"}], \"providerMetadata\": {\"orgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"shortName\": \"INCIBE\", \"dateUpdated\": \"2025-12-02T13:03:32.925Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2025-11788\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2025-12-02T13:31:08.915Z\", \"dateReserved\": \"2025-10-15T12:06:18.604Z\", \"assignerOrgId\": \"0cbda920-cd7f-484a-8e76-bf7f4b7f4516\", \"datePublished\": \"2025-12-02T13:03:32.925Z\", \"assignerShortName\": \"INCIBE\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Sightings

Author Source Type Date

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.