CVE-2025-50130 Overview
CVE-2025-50130 is a heap-based buffer overflow vulnerability in VS6Sim.exe, a simulator component shipped with Fuji Electric's V-SFT and TELLUS human-machine interface (HMI) software products. The flaw is triggered when the simulator parses maliciously crafted V9 or X1 project files. Successful exploitation allows an attacker to execute arbitrary code in the context of the user running the application.
The vulnerability is tracked under CWE-122: Heap-based Buffer Overflow and requires local user interaction to open a weaponized file.
Critical Impact
Opening an attacker-supplied V9 or X1 file in VS6Sim.exe can lead to arbitrary code execution on the engineering workstation, providing a foothold into operational technology (OT) environments.
Affected Products
- Fuji Electric V-SFT (VS6Sim.exe component)
- Fuji Electric TELLUS (VS6Sim.exe component)
- V9 and X1 project file handling within the affected simulators
Discovery Timeline
- 2025-07-08 - CVE-2025-50130 published to the National Vulnerability Database (NVD)
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-50130
Vulnerability Analysis
The vulnerability resides in the file-parsing logic of VS6Sim.exe, the simulator binary bundled with V-SFT and TELLUS. When the simulator opens a V9 or X1 file, it allocates heap buffers based on values read from the file header or embedded structures. A specially crafted file supplies size or length fields that exceed the allocated buffer, causing a write past the end of the heap chunk.
Heap-based buffer overflows in HMI engineering tools are high-value targets because these workstations typically have direct network access to programmable logic controllers (PLCs) and process control networks. Code execution on such a host can pivot into industrial control system (ICS) environments.
Root Cause
The root cause is improper validation of size or length fields contained in the V9 and X1 file formats before they are used to copy data into heap-allocated buffers. The condition aligns with CWE-122, where attacker-controlled data overruns a heap structure, corrupting adjacent allocations or metadata used by the allocator.
Attack Vector
Exploitation requires local access and user interaction. An attacker delivers a crafted V9 or X1 file through phishing, removable media, shared engineering repositories, or supply chain channels. When an engineer opens the file in the affected simulator, the parser triggers the overflow and the attacker can hijack control flow to execute arbitrary code with the privileges of the logged-on user.
No authenticated network vector is required. Public proof-of-concept code is not currently available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog.
The vulnerability manifests during deserialization of size-prefixed records inside the project files. See the JVN advisory JVNVU#94011267 for vendor-coordinated technical details.
Detection Methods for CVE-2025-50130
Indicators of Compromise
- Unexpected child processes spawned by VS6Sim.exe, such as command shells, PowerShell, or script interpreters
- Crashes or Windows Error Reporting (WER) entries referencing VS6Sim.exe with heap corruption exception codes (for example, 0xC0000374)
- Inbound V9 or X1 files received via email, chat, or removable media from untrusted sources
- Outbound network connections initiated by VS6Sim.exe to non-Fuji Electric infrastructure
Detection Strategies
- Monitor process creation events where VS6Sim.exe is the parent of interactive shells or LOLBins
- Hunt for module loads of unsigned or unusual DLLs into the VS6Sim.exe address space
- Alert on file-write activity by VS6Sim.exe outside of expected project directories
Monitoring Recommendations
- Centralize endpoint telemetry from engineering workstations into a SIEM and correlate VS6Sim.exe activity with file-open events
- Track distribution of V9 and X1 files across file shares and email gateways to identify suspicious sources
- Apply application allowlisting policies and audit any execution of binaries originating from user-writable directories on HMI engineering hosts
How to Mitigate CVE-2025-50130
Immediate Actions Required
- Restrict opening of V9 and X1 files in V-SFT and TELLUS to files originating from trusted, verified sources
- Isolate engineering workstations running VS6Sim.exe from general-purpose corporate networks and the internet
- Enforce least privilege so that users running V-SFT or TELLUS do not hold local administrator rights
- Apply vendor updates as soon as they are published on the Fuji Electric Monitouch download portal
Patch Information
Refer to the vendor download portals for the latest fixed releases of V-SFT and TELLUS. Coordinated advisory information is published by JPCERT/JVN. Verify installed versions against the vendor's fixed-version notes before reopening untrusted project files.
Workarounds
- Block delivery of V9 and X1 file extensions at email gateways and web proxies when not operationally required
- Use a dedicated, network-segmented analysis host to inspect untrusted project files before they reach production engineering workstations
- Enable operating system mitigations such as Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and Control Flow Guard (CFG) for VS6Sim.exe
# Example: enforce ASLR and DEP for VS6Sim.exe using Windows Defender Exploit Guard
Set-ProcessMitigation -Name VS6Sim.exe -Enable DEP,EmulateAtlThunks,ForceRelocateImages,BottomUp,HighEntropy,CFG
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

