CVE-2025-61861 Overview
CVE-2025-61861 is an out-of-bounds read vulnerability in the VS6ComFile!load_link_inf function of Fuji Electric V-SFT v6.2.7.0 and earlier. The flaw is triggered when a user opens a specially crafted V-SFT project file. Successful exploitation can lead to information disclosure, abnormal process termination (ABEND), or arbitrary code execution within the context of the V-SFT application. V-SFT is configuration software for Fuji Electric Monitouch human-machine interface (HMI) panels, making this issue relevant to industrial control system (ICS) engineering workstations.
Critical Impact
Opening a malicious V-SFT file on an engineering workstation can leak memory contents and allow arbitrary code execution, providing a foothold into operational technology (OT) environments.
Affected Products
- Fuji Electric Monitouch V-SFT v6.2.7.0
- All prior versions of Fuji Electric Monitouch V-SFT v6
- HMI engineering workstations running vulnerable V-SFT installations
Discovery Timeline
- 2025-10-10 - CVE-2025-61861 published to NVD
- 2026-06-17 - Last updated in NVD database
Technical Details for CVE-2025-61861
Vulnerability Analysis
The vulnerability resides in the VS6ComFile!load_link_inf routine, which parses link information embedded in V-SFT project files. The routine reads structured data without correctly validating offsets or length fields against the bounds of the underlying buffer. When a crafted file supplies attacker-controlled size or index values, the parser reads memory outside the intended allocation. Depending on the memory layout at the time of parsing, the out-of-bounds read can disclose adjacent heap data, cause the process to terminate abnormally, or be chained with additional primitives to achieve arbitrary code execution. The weakness is classified as [CWE-125] Out-of-Bounds Read.
Root Cause
The root cause is missing bounds validation in the V-SFT file parser. VS6ComFile!load_link_inf trusts length and offset values stored in the input file when iterating over link information structures. Without sanity checks against the actual buffer size, malformed records cause the function to dereference memory beyond the allocated region.
Attack Vector
Exploitation requires local user interaction. An attacker delivers a malicious V-SFT file through email, shared drives, removable media, or compromised project repositories. When an engineer opens the file in V-SFT, the parser processes the crafted link information and triggers the out-of-bounds read. The attack vector aligns with common ICS targeting patterns where engineering workstations are reached through spear-phishing or supply-chain compromise of project files.
No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the JVN Security Vulnerability Report for additional technical context.
Detection Methods for CVE-2025-61861
Indicators of Compromise
- Unexpected crashes or ABEND events of the V-SFT v6 process on engineering workstations
- V-SFT project files (.V8, .V9, and related extensions) received from untrusted sources or external email
- Anomalous child processes spawned by the V-SFT executable following file open events
- New or modified V-SFT project files in shared engineering directories without corresponding change-control records
Detection Strategies
- Monitor process crash and Windows Error Reporting (WER) events associated with V-SFT binaries on HMI engineering hosts
- Correlate file-open events for V-SFT extensions with subsequent process injection, memory allocation, or network connection activity
- Inspect inbound email and file-share traffic for V-SFT project files originating from outside the engineering team
Monitoring Recommendations
- Enable endpoint detection and response (EDR) telemetry on all engineering workstations that run V-SFT
- Forward V-SFT application logs and Windows application event logs to a centralized SIEM for retention and analysis
- Baseline normal V-SFT usage patterns so that off-hours file opens and unusual parent-child process relationships generate alerts
How to Mitigate CVE-2025-61861
Immediate Actions Required
- Inventory all systems running Fuji Electric Monitouch V-SFT v6 and identify versions at or below 6.2.7.0
- Restrict V-SFT usage to dedicated engineering workstations isolated from general corporate email and web browsing
- Instruct engineers to open V-SFT project files only when their origin and integrity have been verified
- Apply the vendor-supplied update as soon as it becomes available for your environment
Patch Information
Fuji Electric distributes updated V-SFT v6 installers through the official download portal. Refer to the Fuji Electric Monitouch Download Page for the latest fixed release and to the JVN Security Vulnerability Report for advisory details. Upgrade all V-SFT v6 installations beyond version 6.2.7.0 to remediate the out-of-bounds read in VS6ComFile!load_link_inf.
Workarounds
- Block delivery of V-SFT project files through perimeter email and web gateways unless they originate from approved partners
- Store project files in version-controlled repositories that enforce integrity checks and authenticated commits
- Apply application allowlisting so V-SFT executables run only from approved paths and cannot launch unexpected child processes
- Segment HMI engineering workstations from corporate networks using firewall rules consistent with IEC 62443 zone and conduit guidance
# Configuration example: identify V-SFT v6 installations on Windows hosts
Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" |
Where-Object { $_.DisplayName -like "*V-SFT*" } |
Select-Object DisplayName, DisplayVersion, InstallLocation
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

