Fuji Electric’s industrial software tools—particularly those used to configure and simulate operations for human-machine interfaces (HMIs)—are under security scrutiny again following a series of vulnerability disclosures that raise critical concerns across the operational technology (OT) landscape. With flaws affecting popular software components such as Monitouch V-SFT, Tellus Lite V-Simulator, and V-Server Lite, industrial cybersecurity stakeholders are being urged to prioritize patching and reevaluate risk exposure on connected systems.
Remote Code Execution Vulnerability Found in V-SFT Configuration Software
A critical vulnerability in Monitouch V-SFT exposes industrial control systems to potential remote attacks.
On April 24, 2025, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) published an advisory warning about a newly discovered vulnerability in Fuji Electric’s Monitouch V-SFT software, which is used to configure HMI devices across the company’s Monitouch series. Identified as CVE-2024-11787, the vulnerability affects versions 6.2.3.0 and earlier and stems from inadequate validation of user-supplied data during the parsing of V10 configuration files.
This out-of-bounds write issue allows a remote, unauthenticated attacker to execute arbitrary code on the host machine, resulting in a full system crash or potential hijack of HMI operations.
According to CISA, successful exploitation could have significant operational consequences:
- Disrupt industrial process visibility and control
- Introduce the risk of physical process manipulation
- Enable lateral movement within OT networks
Administrators are advised to upgrade to the latest V-SFT software version immediately to mitigate this risk.
Additional Critical Bugs in Simulation and Monitoring Tools
Tellus Lite V-Simulator and V-Server Lite have also been found vulnerable to multiple memory safety issues.
The scope of risk extends beyond configuration software. Several additional vulnerabilities affect Fuji Electric’s Tellus Lite V-Simulator and V-Server Lite applications—tools designed for simulating and monitoring industrial processes. CISA previously detailed a group of these flaws under multiple CVE identifiers, each carrying a CVSS v3 score of 7.8:
- CVE-2021-22637 – stack-based buffer overflow
- CVE-2021-22639 – use of uninitialized pointer
- CVE-2021-22641 – heap-based buffer overflow
- CVE-2021-22653 – out-of-bounds write
- CVE-2021-22655 – out-of-bounds read
Exploitation of these bugs could allow remote attackers to execute malicious code under the same privileges as the impacted application, potentially leading to a full compromise of industrial systems. Public exploits for some flaws have already been released, raising the active threat level for unpatched environments.
Fuji Electric has patched these vulnerabilities in version 4.0.10.0 of its V-Simulator and V-Server Lite products, and CISA strongly advises operators to update without delay.
Nature of the Flaws Points to Broader Development Concerns
Security analysts note that the types of vulnerabilities—heap overflows, untrusted pointer dereferences, and use-after-free errors—are indicative of chronic memory management issues in Fuji Electric’s HMI software stack. A review of historical disclosures by Kaspersky ICS-CERT and CISA illustrates that buffer overflow and code execution vulnerabilities have persisted in various Fuji Electric products over several software generations.
For instance:
- The 2018 disclosure affecting FRENIC-series motor drives and Alpha5 Smart Loader revealed similar buffer overflow vectors.
- A 2017 advisory on Monitouch V-SFT (CVE-2017-9659, CVE-2017-9660, CVE-2017-9662) included stack overflows and privilege escalation risks.
These patterns suggest that secure software development practices may not yet be uniformly implemented, increasing the urgency for Fuji Electric to perform comprehensive code audits and supply chain risk assessments.
Industrial Impact and Remediation Strategy
Industrial sectors using Fuji Electric’s HMI infrastructure must reassess their patching timelines to avoid disruption threats.
Products like Fuji Electric’s Monitouch V9, Monitouch X1, and Technoshot TS—widely deployed in manufacturing, utilities, and other industrial sectors—rely on V-SFT for configuration. This tightly integrated software-hardware coupling means that vulnerabilities in the configuration layer affect the full HMI lifecycle, from development through runtime.
In light of the recent disclosures:
- Inventory Assessment – Organizations should immediately inventory all systems using affected versions of V-SFT, Tellus Lite V-Simulator, and V-Server Lite.
- Patch Installation – Upgrade to Monitouch V-SFT versions later than 6.2.3.0 and V-Simulator/V-Server Lite version 4.0.10.0 to address known CVEs.
- Network Segmentation – Ensure that HMI configuration environments are isolated from external access to reduce remote threat vectors.
- Code Review and Whitelisting – Apply application whitelisting and behavior monitoring to detect unauthorized activity originating from these tools.
- Vendor Coordination – Engage Fuji Electric for updated security guidance, firmware patches, and product lifecycle support.
Concluding Considerations for Industrial Cybersecurity Teams
Fuji Electric vulnerabilities represent a growing concern in the industrial cybersecurity domain, where HMI systems serve as gateways between human operators and automated processes. While patch availability mitigates immediate risk, these recurring exposures underline persistent engineering challenges and elevate the need for zero-trust architectures and secure-by-design development roadmaps.
Stakeholders managing Fuji Electric HMI deployments must act swiftly to update vulnerable software, limit exposure pathways, and institute stronger security controls across design and operations.
