Cyber Posture

CVE-2025-11787

HighRCE

Published: 02 December 2025

Published
02 December 2025
Modified
03 December 2025
KEV Added
Patch
CVSS Score 8.8 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0019 40.1th percentile
Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2025-11787 is a high-severity OS Command Injection (CWE-78) vulnerability in Circutor Sge-Plc1000 Firmware. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Command and Scripting Interpreter (T1059); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-7 (Least Functionality) and SI-10 (Information Input Validation).

Threat & Defense at a Glance

What attackers do: exploitation maps to Command and Scripting Interpreter (T1059) and 1 other technique. What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match
prevent

Directly prevents command injection in GetDNS(), CheckPing(), and TraceRoute() by validating and sanitizing untrusted inputs before processing.

SI-2 Flaw Remediation good match
prevent

Remediates the specific command injection flaw in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through timely patching or vendor-recommended fixes.

CM-7 Least Functionality good match
prevent

Minimizes exposure to the vulnerable diagnostic functions by restricting the PLC OS to least functionality required for operations.

MITRE ATT&CK Enterprise TechniquesAI

T1059 Command and Scripting Interpreter Execution
Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries.
attack.mitre.org →
T1210 Exploitation of Remote Services Lateral Movement
Adversaries may exploit remote services to gain unauthorized access to internal systems once inside of a network.
attack.mitre.org →
Why these techniques?

Command injection in network-exposed functions (GetDNS, CheckPing, TraceRoute) enables arbitrary OS command execution (T1059) via exploitation of a remote service (T1210).

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Command injection vulnerability in the operating system in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2 through the 'GetDNS()', 'CheckPing()' and 'TraceRoute()' functions.

Deeper analysisAI

CVE-2025-11787 is a command injection vulnerability (CWE-78) in the operating system of Circutor SGE-PLC1000 and SGE-PLC50 devices running version 9.0.2. The issue affects the 'GetDNS()', 'CheckPing()', and 'TraceRoute()' functions, enabling attackers to inject and execute arbitrary operating system commands. It carries a CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) and was published on 2025-12-02T13:15:50.730.

Attackers with low privileges can exploit this vulnerability remotely over the network with low complexity and no user interaction required. Exploitation grants high-impact access to confidentiality, integrity, and availability, potentially allowing full system compromise through arbitrary command execution on the affected PLC devices.

The INCIBE-CERT advisory (https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0) addresses multiple vulnerabilities in Circutor products, including CVE-2025-11787, and provides details on affected systems for security practitioners to review for mitigation steps.

Details

CWE(s)
CWE-78

Affected Products

circutor
sge-plc1000 firmware
9.0.2
circutor
sge-plc50 firmware
9.0.2

CVEs Like This One

CVE-2025-11779Same product: Circutor Sge-Plc1000
CVE-2025-11783Same product: Circutor Sge-Plc1000
CVE-2025-44961Shared CWE-78
CVE-2026-24452Shared CWE-78
CVE-2026-25105Shared CWE-78
CVE-2026-1428Shared CWE-78
CVE-2026-33613Shared CWE-78
CVE-2025-30479Shared CWE-78
CVE-2025-55055Shared CWE-78
CVE-2026-24695Shared CWE-78

References