CVE-2024-11793 Fuji Electric CVE debrief

Who should care

Industrial control system operators, OT security teams, manufacturing organizations using Fuji Electric Monitouch HMI systems, asset owners in critical infrastructure sectors

Technical summary

CVE-2024-11793 is a heap-based buffer overflow vulnerability in Fuji Electric Monitouch V-SFT, an HMI/SCADA development software used in industrial control systems. The vulnerability exists in the parsing of V9C project files, where insufficient validation of user-supplied data allows writing beyond allocated buffer boundaries. Successful exploitation requires user interaction—opening a malicious V9C file or visiting a malicious page—resulting in arbitrary code execution within the current process context. The vulnerability affects versions 6.2.3.0 and earlier. Fuji Electric released patched version 6.2.6.0 in April 2025.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade Fuji Electric Monitouch V-SFT to Version 6.2.6.0 or later, released April 2025
• Restrict user permissions to prevent unauthorized software installation
• Train users to avoid opening untrusted V9C files or visiting suspicious websites
• Implement application whitelisting to prevent execution of unauthorized binaries
• Monitor for anomalous process behavior indicative of code execution
• Apply network segmentation to limit lateral movement if compromise occurs

Evidence notes

The vulnerability exists in the parsing of V9C files within Fuji Electric Monitouch V-SFT versions 6.2.3.0 and earlier. The root cause is lack of proper validation of user-supplied data, leading to a heap buffer overflow. CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector with user interaction required, but high impact on confidentiality, integrity, and availability. CVSS 4.0 vector also provided in source materials.

Official resources