PatchSiren cyber security CVE debrief
CVE-2024-34171 Fuji Electric CVE debrief
CVE-2024-34171 is a stack-based buffer overflow vulnerability in Fuji Electric Monitouch V-SFT, an HMI (Human-Machine Interface) programming software used in industrial control systems. The vulnerability, published by CISA on May 30, 2024, and last modified on July 18, 2025, allows an attacker to execute arbitrary code on affected systems. The CVSS 3.1 score of 7.8 (HIGH) reflects local attack vector requirements with low attack complexity, requiring user interaction but no privileges. The vulnerability affects Monitouch V-SFT versions prior to 6.2.3.0. CISA's advisory was updated in June 2024 to include an additional type confusion vulnerability, and revised in July 2025 to update CWE classification. No known exploitation in ransomware campaigns has been reported, and the vulnerability is not listed in CISA's Known Exploited Vulnerabilities (KEV) catalog.
- Vendor
- Fuji Electric
- Product
- Monitouch V-SFT
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-30
- Original CVE updated
- 2025-07-18
- Advisory published
- 2024-05-30
- Advisory updated
- 2025-07-18
Who should care
Industrial control system operators using Fuji Electric Monitouch V-SFT for HMI programming; OT security teams managing engineering workstation security; critical infrastructure organizations with Fuji Electric HMI deployments; asset owners following IEC 62443 security lifecycle practices
Technical summary
The vulnerability exists in the Monitouch V-SFT software's handling of project files or data structures, where insufficient bounds checking leads to stack-based buffer overflow conditions. Successful exploitation enables arbitrary code execution within the context of the V-SFT application, potentially compromising engineering workstations and subsequent access to connected industrial control systems. The attack requires local access and user interaction (e.g., opening a malicious project file), limiting remote exploitation but maintaining significant risk for targeted attacks against OT environments. The June 2024 advisory update indicates additional type confusion vulnerabilities were discovered in the same product, suggesting broader input validation weaknesses.
Defensive priority
HIGH
Recommended defensive actions
- Update Monitouch V-SFT to version 6.2.3.0 or later per vendor guidance
- Validate file integrity of project files before opening in V-SFT
- Implement application whitelisting on engineering workstations running V-SFT
- Restrict physical and remote access to HMI programming stations
- Follow CISA ICS recommended practices for defense-in-depth strategies
- Monitor for anomalous process execution from V-SFT application context
Evidence notes
Primary source is CISA CSAF advisory ICSA-24-151-02, with revision history documenting initial publication (May 30, 2024), Update A adding type confusion vulnerability (June 4, 2024), and revision updating CWE classification (July 18, 2025). Vendor fix confirmed via CSAF remediation data pointing to Fuji Electric update. CVSS vector confirms local attack surface with user interaction requirement.
Official resources
-
CVE-2024-34171 CVE record
CVE.org
-
CVE-2024-34171 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-30