PatchSiren cyber security CVE debrief
CVE-2024-5597 Fuji Electric CVE debrief
A type confusion vulnerability in Fuji Electric Monitouch V-SFT programming software, published 2024-05-30 and last modified 2025-07-18, allows local attackers to achieve code execution or crash the application. The vulnerability requires user interaction but no privileges, with CVSS 3.1 score 7.8 (HIGH). Affected versions are prior to 6.2.3.0.
- Vendor
- Fuji Electric
- Product
- Monitouch V-SFT
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2024-05-30
- Original CVE updated
- 2025-07-18
- Advisory published
- 2024-05-30
- Advisory updated
- 2025-07-18
Who should care
Organizations using Fuji Electric Monitouch V-SFT for HMI programming in industrial control systems, including manufacturing, energy, water/wastewater, and building automation sectors. Asset owners, OT security teams, and control system engineers responsible for maintaining secure engineering workstations should prioritize this update.
Technical summary
CVE-2024-5597 is a type confusion vulnerability in Fuji Electric Monitouch V-SFT, a programming software for human-machine interface (HMI) devices used in industrial automation. The vulnerability exists in versions prior to 6.2.3.0. A type confusion occurs when the application incorrectly handles object types, potentially leading to memory corruption. This can result in application crashes or, under certain conditions, arbitrary code execution. The attack vector is local (AV:L), requiring low attack complexity (AC:L) and user interaction (UI:R), but no privileges (PR:N). Successful exploitation yields high impact on confidentiality, integrity, and availability (C:H/I:H/A:H). The CVSS 3.1 score is 7.8 (HIGH). CISA published advisory ICSA-24-151-02 on 2024-05-30, with Update A on 2024-06-04 adding the type confusion vulnerability details, and a revision on 2025-07-18 updating CWE classification. Fuji Electric has released version 6.2.3.0 to address this vulnerability.
Defensive priority
HIGH
Recommended defensive actions
- Update Fuji Electric Monitouch V-SFT to version 6.2.3.0 or later
- Apply defense-in-depth controls for industrial control systems per CISA guidance
- Restrict physical and logical access to engineering workstations running V-SFT
- Validate file integrity before opening project files from external sources
- Monitor for anomalous application crashes or unexpected behavior in V-SFT
Evidence notes
CISA ICS advisory ICSA-24-151-02 (Update A) documents this type confusion vulnerability with CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H. The advisory was initially published 2024-05-30, updated 2024-06-04 to add the type confusion vulnerability, and revised 2025-07-18 to update CWE classification.
Official resources
-
CVE-2024-5597 CVE record
CVE.org
-
CVE-2024-5597 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2024-05-30