CVE-2025-11781 | THREATINT

Description

Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges.

PUBLISHED Reserved 2025-10-15 | Published 2025-12-02 | Updated 2025-12-02 | Assigner INCIBE

HIGH: 8.6CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Problem types

CWE-321: Use of Hard-coded Cryptographic Key

Product status

Default status

unaffected

9.0.2

affected

Credits

Gabriel Gonzalez and Sergio Ruiz finder

References

www.incibe.es/...ultiple-vulnerabilities-circutor-products-0

cve.org (CVE-2025-11781)

nvd.nist.gov (CVE-2025-11781)

Download JSON