PatchSiren cyber security CVE debrief
CVE-2025-54526 Fuji Electric CVE debrief
A stack-based buffer overflow vulnerability exists in Fuji Electric Monitouch V-SFT-6, an industrial control system (ICS) software used for programming human-machine interface (HMI) devices. The vulnerability is triggered when the software processes a specially crafted project file, potentially allowing an attacker to execute arbitrary code on the affected system. This represents a significant risk to operational technology (OT) environments where compromised HMI software could lead to disruption of industrial processes or unauthorized control of connected systems. The vulnerability was initially disclosed on November 4, 2025, with an update (Update A) published on December 16, 2025, which added a related CVE identifier (CVE-2025-53524) to the advisory. The CVSS 3.1 score of 7.8 reflects high impact across confidentiality, integrity, and availability dimensions, with local attack vector and user interaction required. Fuji Electric has released a patched version (V6.2.9.0 or newer) to address this vulnerability, and users of affected systems should prioritize updating their installations.
- Vendor
- Fuji Electric
- Product
- Monitouch V-SFT-6
- CVSS
- HIGH 7.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2025-11-04
- Original CVE updated
- 2025-12-16
- Advisory published
- 2025-11-04
- Advisory updated
- 2025-12-16
Who should care
Organizations operating Fuji Electric Monitouch HMI systems in manufacturing, energy, water treatment, or other industrial sectors. OT security teams, ICS engineers, and asset owners responsible for HMI programming workstations should prioritize this patch.
Technical summary
CVE-2025-54526 is a stack-based buffer overflow in Fuji Electric Monitouch V-SFT-6, an HMI programming software for industrial environments. The vulnerability occurs during processing of maliciously crafted project files and can result in arbitrary code execution. CVSS 3.1: 7.8 (AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H). Local attack vector requires user interaction. Vendor patch available in V6.2.9.0+.
Defensive priority
HIGH
Recommended defensive actions
- Update Fuji Electric Monitouch V-SFT-6 to version V6.2.9.0 or newer to remediate the stack-based buffer overflow vulnerability.
- Implement application whitelisting and restrict execution of untrusted project files on engineering workstations running V-SFT-6.
- Establish network segmentation between HMI programming workstations and operational OT networks to limit lateral movement potential.
- Train personnel to recognize and avoid social engineering attacks, particularly phishing attempts that may deliver malicious project files.
- Apply defense-in-depth strategies for industrial control systems, including least privilege access controls and continuous monitoring of engineering workstation activity.
Evidence notes
Vulnerability details sourced from CISA ICS advisory ICSA-25-308-01. Vendor remediation confirmed through Fuji Electric software release documentation. CVSS vector confirms local attack vector with user interaction required. Update A (2025-12-16) added CVE-2025-53524 to the same advisory.
Official resources
-
CVE-2025-54526 CVE record
CVE.org
-
CVE-2025-54526 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
2025-11-04