PatchSiren cyber security CVE debrief
CVE-2024-11799 Fuji Electric CVE debrief
A stack-based buffer overflow vulnerability exists in Fuji Electric Tellus Lite V-Simulator 5 (VS5Sim), a simulator component packaged with the TELLUS Lite HMI/SCADA software. The flaw occurs during parsing of V8 project files, where user-supplied data length is not properly validated before being copied to a fixed-length stack buffer. Successful exploitation requires user interaction—the target must open a malicious V8 file or visit a malicious page that triggers the vulnerable parsing routine. Code execution occurs in the context of the current process. The vulnerability was disclosed on December 3, 2024, with an update published on July 29, 2025, indicating that TELLUS V4.0.22.0 was released to address related vulnerabilities CVE-2024-11802 and CVE-2024-11803. Fuji Electric has transitioned from V-SFT Ver5 to V-SFT Ver6 in newer TELLUS Lite releases, with VS6Sim incorporating input screening to prevent exploitation of this and related vulnerabilities.
- Vendor
- Fuji Electric
- Product
- Tellus Lite
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-12-03
- Original CVE updated
- 2025-07-29
- Advisory published
- 2024-12-03
- Advisory updated
- 2025-07-29
Who should care
OT security teams operating Fuji Electric HMI/SCADA environments, industrial control system engineers using TELLUS Lite for machine interface development, asset owners in manufacturing and process industries relying on Tellus Lite V-Simulator for offline testing and validation of operator interfaces
Technical summary
The V-Simulator 5 component in Fuji Electric Tellus Lite 4.0.20.0 contains a stack-based buffer overflow in its V8 file parser. The vulnerability stems from missing length validation on user-controlled data copied to a fixed-size stack buffer. Exploitation requires social engineering to induce opening of a crafted V8 file. The CVSS 3.1 score of 7.8 (HIGH) reflects high impact to confidentiality, integrity, and availability, though the attack vector is local with required user interaction. Fuji Electric's remediation strategy involves component replacement rather than patching, migrating from V-SFT Ver5/VS5Sim to V-SFT Ver6/VS6Sim with enhanced input validation.
Defensive priority
HIGH
Recommended defensive actions
- Upgrade to TELLUS Lite V4.0.22.0 or later which replaces V-SFT Ver5 with V-SFT Ver6 and includes VS6Sim with malicious file screening
- If immediate patching is not feasible, restrict user permissions to prevent execution of untrusted V8 project files
- Implement application whitelisting to prevent execution of unapproved simulator components
- Train operators to recognize and avoid opening V8 files from untrusted sources
- Monitor for anomalous process behavior in V-Simulator 5 (VS5Sim.exe) indicating potential exploitation attempts
- Consider network segmentation for engineering workstations running TELLUS Lite to limit lateral movement in case of compromise
Evidence notes
Vulnerability disclosed via CISA ICS Advisory ICSA-24-338-06 on December 3, 2024. Update A published July 29, 2025, documents remediation progress including release of TELLUS V4.0.22.0. Affected version confirmed as Tellus Lite 4.0.20.0. CVSS 3.1 vector confirms local attack vector with user interaction required.
Official resources
-
CVE-2024-11799 CVE record
CVE.org
-
CVE-2024-11799 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-12-03