CVE-2024-11801 Fuji Electric CVE debrief

Who should care

Organizations operating Fuji Electric Tellus Lite HMI/SCADA systems, particularly in manufacturing, energy, and critical infrastructure sectors. Security teams responsible for OT/ICS asset protection, patch management personnel, and operators of industrial workstations running V-Simulator components.

Technical summary

The vulnerability exists in the V-Simulator 5 (VS5Sim) component's parsing of V8 files. Insufficient validation of user-supplied data allows a write past the end of an allocated buffer, enabling arbitrary code execution in the context of the current process. Exploitation requires user interaction—specifically, opening a malicious V8 file or visiting a malicious page that triggers file handling. Fuji Electric's remediation replaces the vulnerable V-SFT Ver5 with V-SFT Ver6; VS6Sim includes input validation to screen incoming data and prevent exploitation of this vulnerability and related flaws (CVE-2024-11799, CVE-2024-11800).

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to TELLUS Lite V4.0.22.0 or later, which replaces V-SFT Ver5 with V-SFT Ver6 and includes VS6Sim with malicious file screening
• If running Tellus Lite 4.0.20.0, apply vendor-provided mitigations and monitor for updates
• Implement application whitelisting to restrict execution of unapproved V8 files
• Train users to avoid opening V8 files from untrusted sources
• Deploy endpoint protection with behavioral monitoring for industrial control system workstations
• Segment OT networks to limit lateral movement if compromise occurs
• Review and apply CISA ICS recommended practices for defense-in-depth

Evidence notes

Vulnerability disclosed via CISA ICS advisory ICSA-24-338-06 on 2024-12-03. Advisory updated 2025-07-29 to note TELLUS V4.0.22.0 release addressing related CVEs. Affected version: Tellus Lite 4.0.20.0. CVSS 3.1 vector: AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H.

Official resources