EUVD-2025-200230

ID: EUVD-2025-200230

Severity: high

CVSS v4: 8.5 (CVSS:4.0/AV:A/AC:L/AT:N/PR:L/UI:N/VC:H/VI:L/VA:H/SC:H/SI:L/SA:H)

CVSS v3: Not provided

CWE: None listed

Source: ENISA

Description

Stack-based buffer overflow vulnerability in Circutor SGE-PLC1000/SGE-PLC50 v9.0.2. In the 'SetUserPassword()' function, the 'newPassword' parameter is directly embedded in a shell command string using 'sprintf()' without any sanitisation or validation, and then executed using 'system()'. This allows an attacker to inject arbitrary shell commands that will be executed with the same privileges as the application.

Timestamps

Normalized: 2025-12-31T11:32:41Z UTC
Last updated: 2025-12-31T11:32:01Z UTC

References

No references provided.

VulnAI

EUVD-2025-200230

Description

Timestamps

References