CVE-2024-37022 Fuji Electric CVE debrief

Who should care

Organizations operating Fuji Electric Tellus Lite V-Simulator in industrial automation environments, particularly those using the software for HMI/SCADA development and testing. Critical infrastructure operators in manufacturing, energy, and process industries relying on this simulation platform for control system validation.

Technical summary

The vulnerability exists in Fuji Electric Tellus Lite V-Simulator versions prior to 4.0.20.0. An out-of-bounds write condition allows memory manipulation that can lead to arbitrary code execution. The attack requires local access and user interaction, with no privileges required. The CVSS 3.1 vector (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H) indicates local attack surface with complete impact across confidentiality, integrity, and availability dimensions.

Defensive priority

HIGH

Recommended defensive actions

• Update Fuji Electric Tellus Lite V-Simulator to version 4.0.20.0 or later
• Apply vendor-provided security patches as soon as possible
• Implement network segmentation for industrial control systems
• Follow CISA ICS recommended practices for defense-in-depth
• Restrict local access to engineering workstations running Tellus Lite V-Simulator
• Monitor for anomalous process behavior or unexpected memory operations

Evidence notes

Vulnerability details sourced from CISA CSAF advisory ICSA-24-165-14. Affected product confirmed as Fuji Electric Tellus Lite V-Simulator versions prior to 4.0.20.0. Remediation guidance explicitly provided by vendor.

Official resources