Circutor SGE-PLC1000/SGE-PLC50 Hardcoded Cryptographic Key Vulnerability

A vulnerability exists in Circutor SGE-PLC1000 and SGE-PLC50 devices running firmware version 9.0.2, due to the presence of hardcoded cryptographic keys. This static authentication key can be extracted by an attacker with local access to the device, such as through firmware analysis or memory dumping. Once obtained, the key can be used to create legitimate firmware update packages, bypassing all access controls and granting full administrative rights on the device.

Impact

Exploitation of this vulnerability allows for the creation of valid firmware update packages that can be used to gain full administrative privileges on the device, bypassing all intended access controls.

Remediation

Circutor SGE-PLC1000 and SGE-PLC50 units were discontinued in 2015. Users are advised to update to the latest available version (2.0.4) or, at a minimum, to 2.0.0. For units that have been replaced by the GEDE EDC, it is recommended to update to the latest version.