16 Zero-Day Vulnerabilities Discovered in Fuji Electric Monitoring Software

Recent findings by security researchers have revealed a total of 16 zero-day vulnerabilities in the remote monitoring software developed by Fuji Electric, a prominent Japanese manufacturer of industrial equipment. These vulnerabilities potentially allow attackers to execute malicious code within devices that are critical for utility providers and other essential service organizations.

The Zero Day Initiative has reported that these critical vulnerabilities lie within Fuji Electric’s Tellus and Tellus Lite monitoring software, as well as V-Server and its associated simulator modules. Such software is integral to managing and controlling operations remotely, which is a fundamental necessity in today’s industrial landscape.

Fuji Electric, established in 1923, produces various industrial machinery and systems, including power semiconductors and electric equipment. The Tellus and V-Server platforms specifically facilitate industrial operators in maintaining efficient operations and data management, thus contributing to the crucial infrastructure that supports modern utilities.

However, researchers have expressed concerns regarding the Monitouch V-SFT vulnerabilities, which could be exploited to execute arbitrary code on affected systems. The requirement for user interaction for successful exploitation raises significant risks, as adversaries could lure users into visiting malicious websites or opening infected files, thereby gaining unauthorized access.

This disclosure is reminiscent of a prior alert issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) in June regarding the Tellus Lite V-Simulator. That earlier warning underscored the potential for out-of-bounds write and stack-based buffer overflow vulnerabilities to facilitate the execution of malicious code.

Previously, in 2021, Fuji Electric addressed multiple vulnerabilities within its Tellus Lite V-Simulator and V-Server Lite monitoring software. These serious vulnerabilities posed risks that enabled attackers to execute arbitrary code and potentially launch denial-of-service attacks, as well as access sensitive information.

According to investigators, the newly identified vulnerabilities are attributed to improper validation of user-supplied data, leading to an out-of-bounds write vulnerability during file parsing. This critical flaw permits attackers to execute code within the context of the current process, amplifying the potential threat to critical infrastructure.

The vulnerabilities have been assigned unique CVE codes due to their specific characteristics and impacts on systems such as V-SFT v6.2.2.0 and earlier, as well as earlier versions of the TELLUS and V-Server software. Fuji Electric has sought an extension until April 2025 to implement necessary patches, presenting an ongoing risk to operators relying on their technology.

In evaluating this security breach using the MITRE ATT&CK framework, one can identify relevant tactics such as initial access and privilege escalation. Attackers may leverage social engineering techniques to gain entry, while insufficient system defenses can allow them to elevate their access privileges post-exploitation, further endangering critical infrastructure.