Skip to main content
CVE Vulnerability Database

CVE-2025-9365: Fuji Electric FRENIC-Loader 4 RCE Flaw

CVE-2025-9365 is a deserialization vulnerability in Fuji Electric FRENIC-Loader 4 that allows attackers to execute arbitrary code through malicious file imports. This article covers technical details, impact, and mitigation.

Published:

CVE-2025-9365 Overview

CVE-2025-9365 is a deserialization of untrusted data vulnerability in Fuji Electric FRENIC-Loader 4, a Windows-based configuration tool used to program and monitor FRENIC series variable frequency drives. The flaw is triggered when a user imports a crafted file through a specified window in the application. An attacker who convinces an operator to open a malicious file can execute arbitrary code in the context of the FRENIC-Loader 4 process. The issue is tracked under CWE-502: Deserialization of Untrusted Data and is documented in CISA ICS Advisory ICSA-25-245-02.

Critical Impact

Successful exploitation allows arbitrary code execution on engineering workstations used to configure industrial drives, providing a foothold into operational technology environments.

Affected Products

  • Fuji Electric FRENIC-Loader 4 (Windows engineering software)
  • Workstations used to configure FRENIC series variable frequency drives
  • ICS/OT environments that exchange project files between engineers and the loader application

Discovery Timeline

  • 2025-09-03 - CVE-2025-9365 published to NVD
  • 2026-04-15 - Last updated in NVD database

Technical Details for CVE-2025-9365

Vulnerability Analysis

FRENIC-Loader 4 deserializes data from files imported through a specific dialog window without validating or restricting the object types contained in the input. When the application reconstructs objects from the file, attacker-controlled type metadata and payloads are processed by the deserializer. This behavior creates a path for arbitrary code execution because gadget chains within loaded assemblies can run during object reconstruction. The vulnerability requires local access and user interaction, since an operator must initiate the import action against a malicious file.

Root Cause

The root cause is unsafe deserialization [CWE-502] in the file import routine. The loader trusts serialized input that should be treated as untrusted data crossing a security boundary. No type allow-list, signature check, or schema validation gates the deserialization step, so any serialized payload that resolves to a usable gadget chain is executed.

Attack Vector

The attack vector is local and requires user interaction. An attacker delivers a crafted project or configuration file through email, removable media, a shared drive, or a compromised supplier channel. An engineer opens FRENIC-Loader 4 and uses the affected import window to load the file. During deserialization, the embedded payload executes with the privileges of the logged-on user. On engineering workstations this often translates to access to additional ICS assets, credentials, and project repositories.

No verified public proof-of-concept code is available. Refer to the vendor advisory for technical details: Fuji Electric Document Detail.

Detection Methods for CVE-2025-9365

Indicators of Compromise

  • Unexpected child processes spawned by the FRENIC-Loader 4 executable, particularly cmd.exe, powershell.exe, rundll32.exe, or wscript.exe.
  • FRENIC-Loader 4 project or configuration files received from external or untrusted sources, especially via email or removable media.
  • Outbound network connections originating from the loader process to non-vendor infrastructure.
  • New persistence artifacts (scheduled tasks, Run keys, services) created shortly after a file import action on an engineering workstation.

Detection Strategies

  • Monitor process lineage on engineering workstations and alert when FRENIC-Loader 4 spawns scripting or shell interpreters.
  • Inspect file imports and flag files that arrive from outside the approved project repository or supplier channel.
  • Apply YARA or content rules to detect serialized .NET or generic gadget chain markers inside files associated with FRENIC-Loader 4.

Monitoring Recommendations

  • Forward process, file, and network telemetry from OT engineering workstations to a centralized analytics platform for correlation.
  • Track user-initiated file imports as high-value events and review them during incident triage.
  • Baseline normal FRENIC-Loader 4 behavior so deviations such as unusual child processes or network egress are easier to surface.

How to Mitigate CVE-2025-9365

Immediate Actions Required

  • Restrict use of FRENIC-Loader 4 to dedicated engineering workstations that are isolated from email and general internet browsing.
  • Only open project files that originate from trusted, verified sources, and validate file integrity before import.
  • Apply the principle of least privilege so engineers run FRENIC-Loader 4 as standard users rather than local administrators.
  • Review the CISA ICS Advisory ICSA-25-245-02 and apply the recommended defensive measures for ICS environments.

Patch Information

Refer to the vendor advisory at Fuji Electric Document Detail for the current fixed version and update instructions for FRENIC-Loader 4. Update affected installations to the vendor-supplied version that addresses the deserialization flaw.

Workarounds

  • Block FRENIC-Loader 4 file imports from any location other than a controlled, access-restricted project share.
  • Use application allow-listing on engineering workstations to prevent unauthorized child processes from launching.
  • Segment OT engineering workstations from corporate IT networks and restrict inbound email and web access on those systems.
  • Educate engineers and integrators to treat unsolicited drive configuration files as suspicious and verify them out-of-band before opening.

Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

Default Legacy - Prefooter | Experience the World’s Most Advanced Cybersecurity Platform

Experience the Most Advanced Cybersecurity Platform

See how the world’s most intelligent, autonomous cybersecurity platform can protect your organization today and into the future.