Fuji Electric V-SFT HMI Configurator Flaws Could Let Attackers Compromise Industrial Workstations

NEWS

Introduction: What’s affected and why it matters

Multiple memory-corruption flaws in Fuji Electric’s V-SFT—the Windows-based configuration software used to program MONITOUCH HMI panels—can be abused via a malicious project file to achieve arbitrary code execution on the engineer/operator workstation. Successful exploitation provides the attacker with the victim’s local privileges, creating a springboard to compromise HMIs and adjacent OT assets. Patches are available.

In brief

  • Product: Fuji Electric / Hakko Electronics V-SFT-6 (HMI configuration software).
  • Impact: Code execution, information disclosure, application crash (ABEND).
  • User interaction required: Yes — victim must open a crafted V-SFT project file (typical phishing or shared file scenario).
  • Fix: Update to V-SFT-6 version 6.2.9.0 (vendor’s latest), which addresses the newly disclosed set; earlier sets were fixed in prior 2025 updates.

Context / history / disclosure timeline

  • May 14, 2025: JPCERT/CC published the first 2025 batch for V-SFT-6 v6.2.5.0 and earlier (CVE-2025-47749 … CVE-2025-47760)
  • Oct 8, 2025: JPCERT/CC published a second batch for v6.2.7.0 and earlier (CVE-2025-61856 … CVE-2025-61864).
  • Oct 16, 2025: Public reporting highlighted patch availability and exploitation paths via social engineering.
  • Versioning: Fuji’s site lists V-SFT-6 6.2.9.0 as the newest release line item (download requires account); release notes pages are sparse on security detail, but this is the version JPCERT references as remediation.

Technical analysis / details of the vulnerability

Attack vector: Opening a specially crafted V-SFT project file (V7/V8 formats) triggers parsing bugs in multiple modules (e.g., VS6ComFile, VS6MemInIF, VS6EditData, VS6File). This can lead to stack-based buffer overflows, out-of-bounds reads/writes, and use-after-free, culminating in code execution with the user’s privileges. CVSSv3.1 base scores are 7.8 (High); CVSS v4.0 base 8.4 (High) in JVN entries.

Latest CVE set (Oct 2025, affects v6.2.7.0 and earlier):

  • CVE-2025-61856 — stack-based buffer overflow in CV7BaseMap::WriteV7DataToRom.
  • CVE-2025-61857 – 61859 — multiple OOB writes across UI/animation handling.
  • CVE-2025-61860 – 61863 — multiple OOB reads across memory/serialization routines.
  • CVE-2025-61864use-after-free in link-handling.

Earlier 2025 CVE set (May 2025, affects v6.2.5.0 and earlier): CVE-2025-47749 – 47760, spanning OOB writes/reads and stack-overflows in file-parsing paths for V7/V8 files.

Why this is risky in OT: Although exploitation requires opening a file, engineering workstations routinely import project backups, templates, and vendor samples. Once code runs on the HMI engineering PC, attackers can tamper with HMI projects, alter PLC tags/alarms, plant logic screens, or stage ransomware in the OT boundary—especially where domain trusts and file shares bridge IT/OT. SecurityWeek’s reporting and JVN’s impacts explicitly include code execution and information disclosure.

Fixed versions: Update to V-SFT-6 6.2.9.0 (latest listed by Fuji) or newer. Note that Fuji’s public “Improvement information” page lists 6.2.9.0 but does not enumerate security fixes; JPCERT advisories instruct to update to the latest.

Practical consequences / risks

  • Engineer workstation takeover → credential theft, lateral movement to HMI panels or historian servers.
  • Operational manipulation → misleading graphics, hidden alarms, or altered setpoints if malicious projects are deployed to panels.
  • Downtime & safety → HMI instability or forced crashes (ABEND) during operations.
  • Supply-chain path → trojanized project files shared by integrators/contractors.

Operational recommendations / what to do next

  1. Patch priority:
    • Upgrade V-SFT-6 to 6.2.9.0 (or later) on all engineering/maintenance PCs. Validate that older installers are removed from file shares.
  2. Control project file provenance:
    • Only accept projects from trusted, verified sources; require hash/signature checks where available. Stage in a detonation VM before importing into production engineering stations. (Aligns with the “user-interaction” nature of these CVEs.)
  3. Least privilege on eng PCs:
    • Run V-SFT under non-admin accounts; enforce application allow-listing (AppLocker/SRP) and constrained user rights to limit blast radius if code executes.
  4. Network hygiene & segmentation:
    • Keep engineering workstations in a separate OT zone; restrict SMB/RDP flows; use jump hosts and enforce MFA where feasible (CISA’s generic ICS guidance is applicable).
  5. Monitoring & incident readiness:
    • Add detections for unusual V-SFT process behavior (child processes, script interpreters, LOLBins).
    • Maintain golden copies of HMI projects; enable checksum validation before panel downloads.
  6. User awareness for OT staff:
    • Train engineers to treat project files like executables; validate origins before opening.
  7. Backup & recovery:
    • Ensure recent, offline backups for HMI panels and engineering stations to recover from data tampering or ransomware.

Differences / comparisons with other cases

  • The May 2025 batch (CVE-2025-47749…60) and the October 2025 batch (CVE-2025-61856…64) share the same class of parsing flaws triggered by crafted V7/V8 files but affect different code paths and versions. Both require user interaction and lead to local code execution on the host running V-SFT. This pattern mirrors earlier ICS advisories for V-SFT in 2024 (e.g., CVE-2024-34171, CVE-2024-5271), underscoring a long-running attack surface in offline file parsers.

Summary / key takeaways

  • Threat: High-impact code-execution flaws exploitable via malicious configuration files.
  • Exposure: Engineering workstations that open untrusted V-SFT projects.
  • Action: Update to V-SFT-6 6.2.9.0, harden engineer endpoints, and treat project files as untrusted content until vetted.

Sources / bibliography

  • SecurityWeek news: overview, social-engineering vector, and patch availability (published Oct 16, 2025). (SecurityWeek)
  • JPCERT/CC JVN (Oct 8, 2025): JVNVU#90008453, CVE-2025-61856 … 61864, v6.2.7.0 and earlier; impacts and CVSS. (jvn.jp)
  • JPCERT/CC JVN (May 14, 2025): JVNVU#97228144, CVE-2025-47749 … 47760, v6.2.5.0 and earlier; impacts and CVSS. (jvn.jp)
  • NVD CVE page for CVE-2025-61856 (technical description & timeline). (NVD)
  • Fuji Electric/Hakko improvement & version pages (confirming 6.2.9.0 availability). (Monitouch)

Related Posts