PatchSiren cyber security CVE debrief
CVE-2024-5271 Fuji Electric CVE debrief
CVE-2024-5271 is a high-severity vulnerability in Fuji Electric Monitouch V-SFT, an HMI (Human-Machine Interface) configuration software used in industrial control systems. The vulnerability stems from a type confusion weakness that leads to an out-of-bounds write, enabling arbitrary code execution when processing maliciously crafted files. CISA published the initial advisory on May 30, 2024, with an update on June 4, 2024 adding the type confusion classification, and a revision on July 18, 2025 updating the CWE categorization. The vulnerability requires local access and user interaction, with an attacker needing to convince a user to open a malicious file. Fuji Electric has released version 6.2.3.0 to address this issue. Organizations using affected versions should prioritize patching due to the potential for complete system compromise in engineering workstations.
- Vendor
- Fuji Electric
- Product
- Monitouch V-SFT
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-30
- Original CVE updated
- 2025-07-18
- Advisory published
- 2024-05-30
- Advisory updated
- 2025-07-18
Who should care
Organizations operating Fuji Electric Monitouch HMI systems in manufacturing, energy, water treatment, and other industrial sectors. OT security teams, HMI engineers, and plant automation personnel responsible for maintaining secure engineering workflows. Asset owners with unmanaged or outdated V-SFT installations on engineering workstations.
Technical summary
A type confusion vulnerability in Fuji Electric Monitouch V-SFT versions prior to 6.2.3.0 allows attackers to trigger an out-of-bounds write through crafted input, resulting in arbitrary code execution. The CVSS 3.1 score of 7.8 reflects high impacts to confidentiality, integrity, and availability with a local attack vector and required user interaction. The vulnerability affects the engineering workstation software used to configure Fuji Electric HMI panels. Successful exploitation grants attacker code execution in the context of the V-SFT application, potentially compromising the engineering environment and enabling subsequent attacks against connected operational technology infrastructure.
Defensive priority
high
Recommended defensive actions
- Update Monitouch V-SFT to version 6.2.3.0 or later per vendor guidance
- Implement application whitelisting on engineering workstations to prevent execution of unauthorized V-SFT project files
- Train HMI programmers and operators to avoid opening V-SFT project files from untrusted sources
- Segment engineering workstations from operational networks using Purdue Model Level 3.5 boundaries
- Monitor for anomalous V-SFT process behavior or unexpected network connections from engineering hosts
- Review and restrict file share access for V-SFT project directories to authorized personnel only
Evidence notes
Vulnerability details sourced from CISA CSAF advisory ICSA-24-151-02. CVSS 3.1 vector confirms local attack vector with user interaction required. Vendor fix confirmed via remediation URL in CSAF document. Type confusion root cause added in Update A (2024-06-04). CWE update in Revision (2025-07-18).
Official resources
-
CVE-2024-5271 CVE record
CVE.org
-
CVE-2024-5271 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-30