Fuji Electric V-SFT HMI Configurator Flaws Could Let Attackers Compromise Engineering Workstations

Introduction: what’s vulnerable and why it matters

Multiple file-parsing vulnerabilities in Fuji Electric V-SFT—the configuration/development software used to program MONITOUCH HMIs—can be triggered when an engineer opens a malicious V-SFT project file. Successful exploitation can lead to arbitrary code execution with the user’s privileges and information disclosure on the engineering workstation, a high-value pivot point in industrial networks. Fuji Electric has released V-SFT 6.2.9.0 to address these issues.

In brief

• Impact: Code execution, information disclosure, application crash (ABEND) on engineering PCs running V-SFT.
• Trigger: Opening a crafted V-SFT project file (user interaction required).
• Affected: V-SFT 6.2.7.0 and earlier (per JPCERT JVN).
• Fix: Upgrade to V-SFT 6.2.9.0.
• CVE set: CVE-2025-61856 … CVE-2025-61864 (Oct 2025 batch) plus a prior May 2025 batch (CVE-2025-47749 … -47758). Typical CVSS v3.1 base ~7.8 (High).

Context / history / connections

• Oct 16, 2025: Public reporting highlighted that recently patched V-SFT flaws could let attackers compromise industrial organizations via social engineering and crafted project files.
• Oct 8, 2025: JPCERT/CC (JVN) published an advisory listing nine CVEs (CVE-2025-61856…-61864) affecting V-SFT ≤ 6.2.7.0, crediting researcher Michael Heinzl.
• Researcher advisories confirm patched version 6.2.9.0 and describe the core bug class: inadequate validation during file parsing leading to OOB read/write, buffer overflow, and UAF. Vendor patch turnaround this round was ~4 months.
• Earlier (May 14, 2025): JPCERT published a previous batch of V-SFT parsing bugs (CVE-2025-47749…-47758) also exploitable via malicious files.

Technical analysis / details of the vulnerability

The current (Oct 2025) set comprises typical unsafe parsing flaws across V-SFT modules, e.g.:

• Stack-based buffer overflow (VS6ComFile!CV7BaseMap::WriteV7DataToRom) → CVE-2025-61856.
• Out-of-bounds writes (e.g., CItemDraw::is_motion_tween, set_AnimationItem) → CVE-2025-61859, CVE-2025-61858.
• Out-of-bounds reads (get_ovlp_element_size, others) → CVE-2025-61862, etc.
• Use-after-free (VS6ComFile!load_link_inf) → CVE-2025-61864.

Exploit model: attacker supplies a crafted .v6p / project file via email, share, version control, or supplier portal. When opened in V-SFT by an engineer, unchecked parsing leads to memory corruption and potential RCE under the user’s context. CVSS v3.1 scores are generally 7.8 (High) with UI:R, AV:L, reflecting the need for user interaction but high post-compromise impact.

Patched version: V-SFT 6.2.9.0 (researcher & JVN cross-reference). Fuji’s public “Improvement information” page lists version 6.2.9.0 but does not explicitly call out security fixes.

Practical consequences / risks for OT

• Engineering workstation takeover: RCE on an OT engineer’s PC can enable project tampering, credential theft, and lateral movement to HMIs/PLCs through the same programming toolchains.
• Integrity risks: Malicious changes to HMI logic or tags (e.g., false setpoints/alarms) can lead to unsafe operations or downtime. (Inference based on typical HMI programmer access.)
• Supply-chain vector: Malicious projects shared by vendors/integrators can bypass network perimeters since execution occurs during legitimate engineering tasks. (Inference aligned with UI-driven CVEs.)

Operational recommendations / what to do next

1. Patch immediately: Upgrade all V-SFT 6.x installs to 6.2.9.0 (or later). Remove older installers from file shares and golden images.
2. Handle projects as untrusted content:
   • Only open projects from verified sources; establish hash/signature checks where possible.
   • Detonate unknown projects in an isolated VM (no PLC/HMI connectivity) before opening them on production engineering PCs. (Aligned with the UI-triggered exploit path.)
3. Harden engineering workstations:
   • Run engineers as standard users, not local admins.
   • Enable Application Control/allow-listing (e.g., SRP/AppLocker/WDAC) for V-SFT and companion processes.
   • Enforce EDR with memory-corruption protections (ASR/Exploit Guard).
4. Network containment:
   • Keep programming traffic segmented; only allow to intended HMI/PLC networks when needed.
   • Filter email/web downloads of V-SFT project files at gateways; block risky extensions if feasible.
5. Monitoring & DFIR tips:
   • Watch for V-SFT process spawning unusual children (PowerShell, cmd, script interpreters).
   • Collect Sysmon Event ID 1/7/10/11 (process/create, image loads, code injection, file create) on engineering hosts.
   • Maintain golden hashes for V-SFT binaries; alert on drift.
6. Supplier governance: Require integrators to attest to 6.2.9.0+ and provide project artifacts via controlled channels with integrity checks.

Differences / comparisons with other cases

This campaign mirrors many recent OT configuration-tool parsing bugs: user-assisted local exploits that nevertheless yield high-impact outcomes due to the trust and privileges of engineering tools. V-SFT saw two separate 2025 batches (May and October), with similar root causes and exploit models, underscoring the need for secure file-handling and least-privilege on engineering endpoints.

Summary / key takeaways

• Treat engineering project files like you treat executables.
• Upgrade V-SFT to 6.2.9.0 everywhere; remove legacy copies.
• Enforce least privilege + allow-listing on OT workstations and segment programming paths.
• Build a detonation workflow for third-party project files before use in production.

Sources / bibliography

• SecurityWeek coverage (news, impact & context), Oct 16, 2025. (SecurityWeek)
• JPCERT/CC (JVN) advisory, Oct 8, 2025: CVE-2025-61856…-61864, affected ≤6.2.7.0, impact & CVSS. (Japan Vulnerability Notes)
• JPCERT/CC (JVN) advisory, May 14, 2025: CVE-2025-47749…-47758 (earlier batch). (Japan Vulnerability Notes)
• aweSEC researcher advisory (AWE-2025-085 as example): confirms patched in 6.2.9.0 and exploitation via malicious project files. (awesec.com)
• NVD example record (CVE-2025-61856/-61862): vulnerability class and effects; adds U.S. database confirmation. (NVD)
• Fuji Electric V-SFT improvement information page (shows 6.2.9.0 release line items, albeit without explicit security notes). (Monitouch)