Cyber Resilience

CVE-2025-11787

HighRCE

Published: 02 December 2025

Published
02 December 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score v4 8.5 CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0019 40.3th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11787 is a high-severity OS Command Injection (CWE-78) vulnerability in Circutor Sge-Plc1000 Firmware. Its CVSS base score is 8.5 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 40.3th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2025-11787 is a command injection vulnerability (CWE-78) in the operating system of Circutor SGE-PLC1000 and SGE-PLC50 devices running version 9.0.2. The issue affects the 'GetDNS()', 'CheckPing()', and 'TraceRoute()' functions, enabling attackers to inject and execute arbitrary operating system commands. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-02T13:15:50.730.

Attackers with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise through arbitrary command execution on the affected PLC devices.

The INCIBE-CERT advisory (https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0) addresses multiple vulnerabilities in Circutor products, including CVE-2025-11787, and provides details on affected systems for security practitioners to review for mitigation steps.

EU & UK References

Vulnerability details

Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS()', 'CheckPing()' and 'TraceRoute()' functions.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
Why these techniques?

Command injection in network-exposed functions (GetDNS, CheckPing, TraceRoute) enables arbitrary OS command execution (T1059) via exploitation of a remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-11779Same product: Circutor Sge-Plc1000
CVE-2025-11783Same product: Circutor Sge-Plc1000
CVE-2026-33613Shared CWE-78
CVE-2025-55055Shared CWE-78
CVE-2026-25105Shared CWE-78
CVE-2026-24452Shared CWE-78
CVE-2026-1428Shared CWE-78
CVE-2025-44961Shared CWE-78
CVE-2025-30479Shared CWE-78
CVE-2026-5707Shared CWE-78

Affected Assets

circutor
sge-plc1000 firmware
9.0.2
circutor
sge-plc50 firmware
9.0.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly prevents command injection in GetDNS(), CheckPing(), and TraceRoute() by validating and sanitizing untrusted inputs before processing.

prevent

Remediates the specific command injection flaw in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through timely patching or vendor-recommended fixes.

prevent

Minimizes exposure to the vulnerable diagnostic functions by restricting the PLC OS to least functionality required for operations.

References