CVE-2025-54496 Fuji Electric CVE debrief

Who should care

Organizations operating Fuji Electric Monitouch HMI systems in industrial environments, particularly those using V-SFT-6 for project development. Critical infrastructure operators, manufacturing facilities, and OT security teams should prioritize patching due to the potential for arbitrary code execution leading to operational disruption or safety impacts.

Technical summary

The vulnerability stems from improper handling of maliciously crafted project files in Fuji Electric Monitouch V-SFT-6, resulting in a heap-based buffer overflow. Successful exploitation requires local access and user interaction (opening a malicious file), but can lead to complete compromise of confidentiality, integrity, and availability on the affected system. The attack vector is local with low attack complexity, requiring no privileges but user interaction through the UI.

Defensive priority

HIGH

Recommended defensive actions

• Update Fuji Electric Monitouch V-SFT-6 to version V6.2.9.0 or newer as provided in the October release.
• Apply defense-in-depth strategies for industrial control systems, including network segmentation and access controls.
• Implement user awareness training to recognize and avoid social engineering attacks, particularly phishing attempts involving unsolicited project files.
• Do not click web links or open attachments in unsolicited email messages.
• Refer to CISA guidance on recognizing and avoiding email scams and social engineering attacks.

Evidence notes

Source: CISA CSAF advisory ICSA-25-308-01. Vendor confirmed: Fuji Electric. Remediation confirmed: V-SFT V6.2.8.0 (October release) with recommendation to update to V6.2.9.0 or newer.

Official resources