The attached advisory details multiple critical and high-severity vulnerabilities discovered in the CIRCUTOR SGE-PLC1000 and SGE-PLC50 industrial control devices. Researchers identified a wide range of security issues, including buffer overflows, command injection flaws, hardcoded authentication keys, and memory corruption vulnerabilities that could allow attackers to execute arbitrary code, gain administrative access, or disrupt device operations remotely. Several of the findings stem from unsafe handling of user-supplied input and insecure use of functions such as sprintf() and system(). The report emphasizes the potential impact on industrial environments and recommends implementing stronger input validation, safer memory handling practices, and more secure authentication mechanisms to reduce the overall attack surface.
Affected Product
- CIRCUTOR – SGE-PLC1000/SGE-PLC50 v 0.9.2 / ServicePack 140411
| Title | CIRCUTOR SGE PLC1000/PLC50 |
| Severity | 1 Critical, 10 High, 3 medium |
| Discovered by | Gabriel Gonzalez / Sergio Ruiz |
| Advisory Date | January 26, 2026 |
Timeline
- 2025-03-14: Vulnerabilities identified, disclosure process begins.
- 2025-09-30: INCIBE gets ahold of the client to fix vulnerabilities
- 2025-10-28: INCIBE coordinates disclosure: https://www.incibe.es/en/incibe-cert/notices/aviso-sci/multiple-vulnerabilities-circutor-products-0