CVE-2025-11787
Published: 02 December 2025
Summary
CVE-2025-11787 is a high-severity OS Command Injection (CWE-78) vulnerability in Circutor Sge-Plc1000 Firmware. Its CVSS base score is 8.5 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2025-11787 is a command injection vulnerability (CWE-78) in the operating system of Circutor SGE-PLC1000 and SGE-PLC50 devices running version 9.0.2. The issue affects the 'GetDNS()', 'CheckPing()', and 'TraceRoute()' functions, enabling attackers to inject and execute arbitrary operating system commands. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-02T13:15:50.730.
Attackers with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise through arbitrary command execution on the affected PLC devices.
The INCIBE-CERT advisory (https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0) addresses multiple vulnerabilities in Circutor products, including CVE-2025-11787, and provides details on affected systems for security practitioners to review for mitigation steps.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-200229
- 🇪🇸 INCIBE: www.incibe.es
Vulnerability details
Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS()', 'CheckPing()' and 'TraceRoute()' functions.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection in network-exposed functions (GetDNS, CheckPing, TraceRoute) enables arbitrary OS command execution (T1059) via exploitation of a remote service (T1210).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Directly prevents command injection in GetDNS(), CheckPing(), and TraceRoute() by validating and sanitizing untrusted inputs before processing.
Remediates the specific command injection flaw in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through timely patching or vendor-recommended fixes.
Minimizes exposure to the vulnerable diagnostic functions by restricting the PLC OS to least functionality required for operations.