Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
AnalysisAI
Stack-based buffer overflow in Fuji Electric/HAKKO Electronics V-SFT automation software (versions ≤6.2.10.0) allows arbitrary code execution when opening a maliciously crafted V7 project file. An attacker must convince a user to open a weaponized file, requiring no authentication but user interaction. EPSS data not available; no public exploit identified at time of analysis, though the specific function (CV7BaseMap::WriteV7DataToRom) and vulnerability class (stack overflow) provide sufficient technical detail for skilled attackers to develop exploits.
Technical ContextAI
V-SFT is industrial automation programming software from Fuji Electric/HAKKO Electronics used for configuring programmable display terminals and HMI devices. The vulnerability exists in the VS6ComFile module's CV7BaseMap::WriteV7DataToRom function, which processes V7 project files. CWE-121 (stack-based buffer overflow) indicates the software fails to validate input size when copying data to a fixed-size stack buffer during V7 file parsing. When processing attacker-controlled file content, excessive data overwrites adjacent stack memory including return addresses, enabling control flow hijacking and arbitrary code execution with the privileges of the application. This is a classic memory corruption vulnerability in file format parsing-a common attack surface in industrial control system (ICS) engineering software that processes complex proprietary file formats.
RemediationAI
Organizations should immediately consult the Fuji Electric vendor advisory at https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb for patch availability and upgrade instructions; patch status not independently confirmed from available data but vendor acknowledgment indicates remediation planning. Until patching, implement defensive controls: restrict V-SFT workstations from internet access, prohibit opening V7 project files from untrusted sources, implement application whitelisting to prevent arbitrary code execution, and scan incoming project files with updated antivirus solutions. Use secure file transfer procedures with digital signatures when exchanging V7 files with partners. For air-gapped ICS environments, enforce USB media scanning and change control procedures for all project files introduced to the network.
Stack-based buffer overflow in Fuji Electric/Hakko Electronics V-SFT versions through 6.2.10.0 enables arbitrary code ex
Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to disclose sensitive information
Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to extract sensitive memory conten
Out-of-bounds read in Fuji Electric V-SFT industrial HMI software (versions ≤6.2.10.0) enables local attackers to disclo
Access of uninitialized pointer vulnerability exists in the simulator module contained in the graphic editor 'V-SFT' ver
Use after free vulnerability exists in the simulator module contained in the graphic editor 'V-SFT' versions prior to v6
Out-of-bounds read vulnerability exist in the simulator module contained in the graphic editor 'V-SFT' v6.1.3.0 and earl
Heap-based buffer overflow exists in the simulator module contained in the graphic editor 'V-SFT' versions prior to v6.1
Same weakness CWE-121 – Stack-based Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18098
GHSA-257x-mvvc-g6ff