What is the CVSS score of CVE-2025-11786?

CVE-2025-11786 has a CVSS 3.1 base score of 9.8 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H. EPSS exploitation probability: 0.1%.

Which versions of Sge Plc1000 Firmware are affected by CVE-2025-11786?

A critical remote code execution vulnerability affects Circutor SGE-PLC industrial control devices (models PLC1000/PLC50 v9.0.2), allowing attackers to execute arbitrary commands with…

How to fix or mitigate CVE-2025-11786?

Within 24 hours: Identify and inventory all SGE-PLC1000/PLC50 v9.0.2 devices in your environment; restrict network access to affected devices to trusted administrative networks only; disable remote password reset functionality if operationally feasible. Within 7 days: Implement network segmentation isolating affected PLCs from untrusted networks; deploy enhanced logging and monitoring on password reset functions; conduct threat assessment for exposed devices. Within 30 days: Contact Circutor for patch availability and timeline; develop remediation plan including device replacement or upgrade strategy; establish compensating controls for devices that cannot be immediately patched.

Sge Plc1000 Firmware CVE-2025-11786

EUVD-2025-200230 CRITICAL

Stack-based Buffer Overflow (CWE-121)

2025-12-02 cve-coordination@incibe.es

Buffer Overflow Stack Overflow Sge Plc1000 Firmware Sge Plc50 Firmware

9.8

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

EUVD ID Assigned

Mar 15, 2026 - 14:04 euvd

EUVD-2025-200230

Analysis Generated

Mar 15, 2026 - 14:04 vuln.today

CVE Published

Dec 02, 2025 - 13:15 nvd

CRITICAL 9.8

DescriptionNVD

Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application.

Analysis

Technical ContextAI

A buffer overflow occurs when data written to a buffer exceeds its allocated size, potentially overwriting adjacent memory and corrupting program state. This vulnerability is classified as Stack-based Buffer Overflow (CWE-121).

RemediationAI

Use memory-safe languages or bounds-checked functions. Enable ASLR, DEP/NX, and stack canaries. Apply vendor patches promptly.

CVE-2025-11786 vulnerability details – vuln.today

Back

Sge Plc1000 Firmware CVE-2025-11786

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

Analysis

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code