Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
AnalysisAI
Stack-based buffer overflow in Fuji Electric/Hakko Electronics V-SFT versions through 6.2.10.0 enables arbitrary code execution when processing malicious V7 project files. Local attackers can exploit this via social engineering to deliver weaponized files requiring user interaction to open. CVSS 8.4 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with EPSS data unavailable for this newly-assigned CVE. Japanese vulnerability coordination (JPCERT/JVN) indicates regional industrial control system exposure.
Technical ContextAI
V-SFT is a programming and configuration software for Fuji Electric/Hakko Electronics programmable logic controllers and human-machine interfaces used in industrial automation environments. The vulnerability exists in the VS6ComFile component's CSaveData::_conv_AnimationItem function, which handles animation data conversion when parsing V7 project files. CWE-121 (stack-based buffer overflow) occurs when the application fails to validate input length during file parsing, allowing attacker-controlled data to exceed allocated stack buffer boundaries. This classic memory corruption vulnerability can overwrite return addresses or function pointers on the stack, redirecting execution flow to attacker-supplied code. The affected CPE (cpe:2.3:a:fuji_electric_co.,_ltd._/_hakko_electronics_co.,_ltd.:v-sft) indicates this impacts industrial control system engineering workstations, creating potential supply chain risk if compromised projects are distributed to operational technology environments.
RemediationAI
Users should immediately consult the Fuji Electric vendor advisory at https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b for patch availability and upgrade instructions, as specific remediated version numbers are not included in available vulnerability data. Until patching is completed, organizations should implement defense-in-depth controls including restricting V-SFT software to isolated engineering workstations without internet access, enforcing strict controls on V7 project file sources with mandatory scanning of files from external parties, implementing application whitelisting to prevent unauthorized code execution, and conducting security awareness training for engineers on risks of opening untrusted project files. Organizations should verify file integrity using cryptographic hashes when receiving projects from trusted partners and maintain offline backups of validated project files. The JVN advisory at https://jvn.jp/en/vu/JVNVU90448293/ may contain additional mitigation guidance specific to Japanese industrial control system environments.
Stack-based buffer overflow in Fuji Electric/HAKKO Electronics V-SFT automation software (versions ≤6.2.10.0) allows arb
Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to disclose sensitive information
Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to extract sensitive memory conten
Out-of-bounds read in Fuji Electric V-SFT industrial HMI software (versions ≤6.2.10.0) enables local attackers to disclo
Access of uninitialized pointer vulnerability exists in the simulator module contained in the graphic editor 'V-SFT' ver
Use after free vulnerability exists in the simulator module contained in the graphic editor 'V-SFT' versions prior to v6
Out-of-bounds read vulnerability exist in the simulator module contained in the graphic editor 'V-SFT' v6.1.3.0 and earl
Heap-based buffer overflow exists in the simulator module contained in the graphic editor 'V-SFT' versions prior to v6.1
Same weakness CWE-121 – Stack-based Buffer Overflow
View allSame technique Buffer Overflow
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18104
GHSA-2pr9-fr5g-p8hm