CVE 8.6 HIGH

Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50_CVE-2025-11781

December 2, 2025 invoker category_cve

8.6 / 10

HIGH

CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Description

Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges.

AI Analysis

Hardcoded cryptographic key vulnerability in Circutor SGE-PLC1000/SGE-PLC50 firmware, allowing local attackers to extract the key and gain full administrative privileges.

Basic Information

ID CVE-2025-11781

Source INCIBE

Published Dec 2, 2025 at 12:59

Modified Dec 2, 2025 at 13:35

Affected Product

Vendor Circutor

Product Circutor SGE-PLC1000/SGE-PLC50

Version 9.0.2

Affected Versions SGE-PLC1000 SGE-PLC50 Circutor 9.0.2

CWE Classification

CWE-321

AI Assessment

AI Score 8.6 / 10

AI Severity High

Vendor Circutor

Product SGE-PLC1000/SGE-PLC50

Version 9.0.2

References

www.incibe.es /en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

{
    "lastseen": "",
    "description": "Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges.",
    "published": "2025-12-02T12:59:46.925Z",
    "modified": "2025-12-02T13:35:07.164Z",
    "type": "cve",
    "title": "Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50",
    "source": "INCIBE",
    "references": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0",
    "id": "CVE-2025-11781",
    "bulletinFamily": "",
    "cwe": [
        "CWE-321"
    ],
    "cvelist": null,
    "sourceData": "SGE-PLC1000 SGE-PLC50 Circutor 9.0.2",
    "sourceHref": "",
    "cvss": {
        "score": 8.6,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Circutor SGE-PLC1000/SGE-PLC50",
    "version": "9.0.2",
    "vendor": "Circutor",
    "ai_description": "Hardcoded cryptographic key vulnerability in Circutor SGE-PLC1000/SGE-PLC50 firmware, allowing local attackers to extract the key and gain full administrative privileges.",
    "ai_severity": "High",
    "ai_vendor": "Circutor",
    "ai_product": "SGE-PLC1000/SGE-PLC50",
    "ai_version": "9.0.2",
    "ai_score": 8.6
}

💭 Join the Security Discussion ❌ Cancel Reply