Skip to main content
CVE Vulnerability Database
Vulnerability Database/CVE-2025-61861

CVE-2025-61861: Fujielectric Monitouch V-sft RCE Flaw

CVE-2025-61861 is an out-of-bounds read flaw in Fujielectric Monitouch V-sft that enables remote code execution via malicious files. This article covers the technical details, affected versions, impact, and mitigation.

Published:

CVE-2025-61861 Overview

CVE-2025-61861 is an out-of-bounds read vulnerability in the VS6ComFile!load_link_inf function of Fuji Electric V-SFT v6.2.7.0 and earlier. The flaw is triggered when a user opens a specially crafted V-SFT project file. Successful exploitation can lead to information disclosure, abnormal process termination (ABEND), or arbitrary code execution within the context of the V-SFT application. V-SFT is configuration software for Fuji Electric Monitouch human-machine interface (HMI) panels, making this issue relevant to industrial control system (ICS) engineering workstations.

Critical Impact

Opening a malicious V-SFT file on an engineering workstation can leak memory contents and allow arbitrary code execution, providing a foothold into operational technology (OT) environments.

Affected Products

  • Fuji Electric Monitouch V-SFT v6.2.7.0
  • All prior versions of Fuji Electric Monitouch V-SFT v6
  • HMI engineering workstations running vulnerable V-SFT installations

Discovery Timeline

  • 2025-10-10 - CVE-2025-61861 published to NVD
  • 2026-06-17 - Last updated in NVD database

Technical Details for CVE-2025-61861

Vulnerability Analysis

The vulnerability resides in the VS6ComFile!load_link_inf routine, which parses link information embedded in V-SFT project files. The routine reads structured data without correctly validating offsets or length fields against the bounds of the underlying buffer. When a crafted file supplies attacker-controlled size or index values, the parser reads memory outside the intended allocation. Depending on the memory layout at the time of parsing, the out-of-bounds read can disclose adjacent heap data, cause the process to terminate abnormally, or be chained with additional primitives to achieve arbitrary code execution. The weakness is classified as [CWE-125] Out-of-Bounds Read.

Root Cause

The root cause is missing bounds validation in the V-SFT file parser. VS6ComFile!load_link_inf trusts length and offset values stored in the input file when iterating over link information structures. Without sanity checks against the actual buffer size, malformed records cause the function to dereference memory beyond the allocated region.

Attack Vector

Exploitation requires local user interaction. An attacker delivers a malicious V-SFT file through email, shared drives, removable media, or compromised project repositories. When an engineer opens the file in V-SFT, the parser processes the crafted link information and triggers the out-of-bounds read. The attack vector aligns with common ICS targeting patterns where engineering workstations are reached through spear-phishing or supply-chain compromise of project files.

No public proof-of-concept exploit is available, and the issue is not listed in the CISA Known Exploited Vulnerabilities catalog. See the JVN Security Vulnerability Report for additional technical context.

Detection Methods for CVE-2025-61861

Indicators of Compromise

  • Unexpected crashes or ABEND events of the V-SFT v6 process on engineering workstations
  • V-SFT project files (.V8, .V9, and related extensions) received from untrusted sources or external email
  • Anomalous child processes spawned by the V-SFT executable following file open events
  • New or modified V-SFT project files in shared engineering directories without corresponding change-control records

Detection Strategies

  • Monitor process crash and Windows Error Reporting (WER) events associated with V-SFT binaries on HMI engineering hosts
  • Correlate file-open events for V-SFT extensions with subsequent process injection, memory allocation, or network connection activity
  • Inspect inbound email and file-share traffic for V-SFT project files originating from outside the engineering team

Monitoring Recommendations

  • Enable endpoint detection and response (EDR) telemetry on all engineering workstations that run V-SFT
  • Forward V-SFT application logs and Windows application event logs to a centralized SIEM for retention and analysis
  • Baseline normal V-SFT usage patterns so that off-hours file opens and unusual parent-child process relationships generate alerts

How to Mitigate CVE-2025-61861

Immediate Actions Required

  • Inventory all systems running Fuji Electric Monitouch V-SFT v6 and identify versions at or below 6.2.7.0
  • Restrict V-SFT usage to dedicated engineering workstations isolated from general corporate email and web browsing
  • Instruct engineers to open V-SFT project files only when their origin and integrity have been verified
  • Apply the vendor-supplied update as soon as it becomes available for your environment

Patch Information

Fuji Electric distributes updated V-SFT v6 installers through the official download portal. Refer to the Fuji Electric Monitouch Download Page for the latest fixed release and to the JVN Security Vulnerability Report for advisory details. Upgrade all V-SFT v6 installations beyond version 6.2.7.0 to remediate the out-of-bounds read in VS6ComFile!load_link_inf.

Workarounds

  • Block delivery of V-SFT project files through perimeter email and web gateways unless they originate from approved partners
  • Store project files in version-controlled repositories that enforce integrity checks and authenticated commits
  • Apply application allowlisting so V-SFT executables run only from approved paths and cannot launch unexpected child processes
  • Segment HMI engineering workstations from corporate networks using firewall rules consistent with IEC 62443 zone and conduit guidance
bash
# Configuration example: identify V-SFT v6 installations on Windows hosts
Get-ItemProperty "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Uninstall\*" |
  Where-Object { $_.DisplayName -like "*V-SFT*" } |
  Select-Object DisplayName, DisplayVersion, InstallLocation

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.