CVE-2024-11802 Fuji Electric CVE debrief

Who should care

Industrial control system operators using Fuji Electric Tellus Lite for HMI/SCADA applications, particularly in manufacturing and process control environments. Security teams responsible for OT asset management and patch deployment. Organizations with operational technology networks where Tellus Lite V-Simulator is deployed for system simulation or testing.

Technical summary

The V-Simulator 5 component in Fuji Electric Tellus Lite 4.0.20.0 contains a stack-based buffer overflow vulnerability in its V8 file parsing routine. The flaw occurs due to insufficient validation of user-supplied data length before copying to a fixed-length stack buffer. Successful exploitation allows arbitrary code execution in the context of the current process. Attack vector requires local access with user interaction (opening malicious file or page). CVSS 3.1: 7.8 (High). Resolved in TELLUS V4.0.22.0 via replacement of V-Simulator Ver5 with Ver6.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to Fuji Electric TELLUS V4.0.22.0 or later, which replaces V-Simulator Ver5 with Ver6 and resolves this vulnerability
• If immediate patching is not feasible, restrict user permissions to prevent unauthorized installation or execution of untrusted V8 files
• Implement application allowlisting to prevent execution of unapproved V-Simulator instances
• Train users to recognize and avoid opening untrusted files or visiting suspicious web pages
• Monitor for anomalous process execution within Tellus Lite environments
• Apply defense-in-depth strategies including network segmentation for ICS environments per CISA guidance

Evidence notes

Vulnerability description and remediation timeline derived from CISA CSAF advisory ICSA-24-338-06. CVSS 3.1 vector confirms local attack vector with user interaction required. Patch availability confirmed through CISA revision history noting TELLUS V4.0.22.0 release.

Official resources