CVE-2025-53524 Fuji Electric CVE debrief

Who should care

Organizations operating Fuji Electric Monitouch HMI systems in manufacturing, energy, water treatment, and other industrial environments. OT security teams, plant engineers, and HMI operators responsible for maintaining safe and reliable industrial control system operations.

Technical summary

The vulnerability exists in Fuji Electric Monitouch V-SFT-6 HMI configuration software. An out-of-bounds write occurs during processing of specially crafted project files, which can be leveraged to achieve arbitrary code execution. The attack vector requires local access with user interaction (opening a malicious project file). The CVSS 3.1 vector AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H indicates high impacts to confidentiality, integrity, and availability when exploited.

Defensive priority

HIGH

Recommended defensive actions

• Update Fuji Electric Monitouch V-SFT-6 to version V6.2.9.0 or newer per vendor guidance
• Restrict access to project file directories to authorized personnel only
• Implement application whitelisting to prevent execution of unauthorized binaries
• Train operators to recognize and avoid social engineering attacks targeting HMI systems
• Apply defense-in-depth strategies for industrial control system environments per CISA guidance

Evidence notes

CISA ICS advisory ICSA-25-308-01 documents this vulnerability with CVSS 3.1 score 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). The advisory was initially published November 4, 2025 and updated December 16, 2025 to add CVE-2025-53524. Fuji Electric remediation guidance specifies V-SFT V6.2.8.0 as the initial fix, with V6.2.9.0 or newer recommended.

Official resources