CVE-2024-11803 Fuji Electric CVE debrief

Who should care

Industrial control system operators, OT security teams, and organizations using Fuji Electric Tellus Lite for HMI/SCADA applications should prioritize patching. The vulnerability poses significant risk to manufacturing, energy, and critical infrastructure environments where Tellus Lite is deployed for process visualization and control.

Technical summary

The vulnerability exists in the V-Simulator 5 component's V8 file parser. Insufficient validation of user-supplied data allows a write beyond allocated buffer boundaries, corrupting memory and enabling code execution in the context of the current process. The attack vector requires local access with user interaction (opening a malicious V8 file), but the resulting impact is high—complete confidentiality, integrity, and availability compromise of the process. The fix involves migrating to V-Simulator Ver6 in TELLUS V4.0.22.0, which properly validates V8 file data structures.

Defensive priority

HIGH

Recommended defensive actions

• Upgrade to Fuji Electric TELLUS V4.0.22.0 or later, which replaces V-Simulator Ver5 with Ver6 and resolves this vulnerability
• If immediate patching is not feasible, restrict user permissions to prevent execution of untrusted V8 files and implement application whitelisting
• Train operators to avoid opening V8 files from untrusted sources and to verify file origins before loading into V-Simulator
• Monitor for suspicious V-Simulator process behavior or unexpected network connections from the application
• Apply defense-in-depth controls including network segmentation for systems running Tellus Lite to limit lateral movement if compromise occurs

Evidence notes

Vulnerability disclosed via CISA ICS advisory ICSA-24-338-06. Advisory updated July 29, 2025 to confirm patch availability. CVSS 3.1 score 7.8 (HIGH). No known exploitation in the wild or ransomware campaign use documented.

Official resources