Sign-up

ID

VAR-202512-0794


CVE

CVE-2025-11781


DESCRIPTION

Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges.

Trust: 1.0

sources: NVD: CVE-2025-11781

AFFECTED PRODUCTS

vendor:circutormodel:sge-plc1000scope:eqversion:9.0.2

Trust: 1.0

vendor:circutormodel:sge-plc50scope:eqversion:9.0.2

Trust: 1.0

sources: NVD: CVE-2025-11781

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2025-11781
value: HIGH

Trust: 1.0

cve-coordination@incibe.es: CVE-2025-11781
value: HIGH

Trust: 1.0

nvd@nist.gov: CVE-2025-11781
baseSeverity: HIGH
baseScore: 7.8
vectorString: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
attackVector: LOCAL
attackComplexity: LOW
privilegesRequired: LOW
userInteraction: NONE
scope: UNCHANGED
confidentialityImpact: HIGH
integrityImpact: HIGH
availabilityImpact: HIGH
exploitabilityScore: 1.8
impactScore: 5.9
version: 3.1

Trust: 1.0

sources: NVD: CVE-2025-11781 // NVD: CVE-2025-11781

PROBLEMTYPE DATA

problemtype:CWE-321

Trust: 1.0

sources: NVD: CVE-2025-11781

EXTERNAL IDS

db:NVDid:CVE-2025-11781

Trust: 1.0

sources: NVD: CVE-2025-11781

REFERENCES

url:https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

Trust: 1.0

sources: NVD: CVE-2025-11781

SOURCES

db:NVDid:CVE-2025-11781

LAST UPDATE DATE

2025-12-19T22:58:08.460000+00:00


SOURCES UPDATE DATE

db:NVDid:CVE-2025-11781date:2025-12-03T19:10:34.340

SOURCES RELEASE DATE

db:NVDid:CVE-2025-11781date:2025-12-02T13:15:49.140