Severity by source
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
3DescriptionCVE.org
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6ComFile!load_link_inf. Opening a crafted V7 file may lead to information disclosure from the affected product.
AnalysisAI
Out-of-bounds read in Fuji Electric V-SFT industrial HMI software (versions ≤6.2.10.0) enables local attackers to disclose sensitive information and potentially achieve code execution when victims open maliciously crafted V7 project files. The vulnerability resides in the VS6ComFile!load_link_inf function during V7 file parsing. CVSS 8.4 reflects high confidentiality and integrity impact with low attack complexity requiring user interaction. No public exploit identified at time of analysis, though JPCERT coordination suggests targeted industrial sector awareness.
Technical ContextAI
V-SFT is Fuji Electric's supervisory control and data acquisition (SCADA) human-machine interface (HMI) development software used in industrial automation environments. The vulnerability (CWE-125: Out-of-bounds Read) occurs in the VS6ComFile module's load_link_inf function during parsing of proprietary V7 project files. Out-of-bounds read vulnerabilities allow attackers to access memory locations beyond allocated buffers, potentially exposing sensitive data structures, cryptographic keys, or memory layout information useful for ASLR bypass. The affected CPE (cpe:2.3:a:fuji_electric_co.,_ltd._/_hakko_electronics_co.,_ltd.:v-sft) indicates this is a joint product from Fuji Electric and Hakko Electronics. CVSS 4.0 vector shows local attack vector (AV:L) requiring user interaction (UI:A) but no privileges (PR:N), with high impact to confidentiality and integrity at the vulnerable component level. The JPCERT coordination suggests this affects critical infrastructure sectors where V-SFT is deployed for industrial process control.
RemediationAI
Users should immediately upgrade to V-SFT version 6.2.11.0 or later as indicated in the vendor advisory at https://felib.fujielectric.co.jp/en/M10010/M20060/document_detail/5d9dd71d-9494-41a4-aa5c-8e6b8b21066b?region=en-glb. Until patching is complete, implement compensating controls including restricting V7 file sources to trusted vendors only, scanning project files on isolated systems before opening on production engineering workstations, and applying application whitelisting to prevent unauthorized executables. Organizations should review file handling procedures and endpoint detection capabilities on HMI engineering stations, as these systems often lack modern security controls. Consult the JPCERT coordination notice at https://jvn.jp/en/vu/JVNVU90448293/ for additional regional guidance, and coordinate upgrades during planned maintenance windows following standard operational technology change management procedures to minimize production impact.
Stack-based buffer overflow in Fuji Electric/Hakko Electronics V-SFT versions through 6.2.10.0 enables arbitrary code ex
Stack-based buffer overflow in Fuji Electric/HAKKO Electronics V-SFT automation software (versions ≤6.2.10.0) allows arb
Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to disclose sensitive information
Out-of-bounds read in Fuji Electric V-SFT 6.2.10.0 and earlier allows local attackers to extract sensitive memory conten
Access of uninitialized pointer vulnerability exists in the simulator module contained in the graphic editor 'V-SFT' ver
Use after free vulnerability exists in the simulator module contained in the graphic editor 'V-SFT' versions prior to v6
Out-of-bounds read vulnerability exist in the simulator module contained in the graphic editor 'V-SFT' v6.1.3.0 and earl
Heap-based buffer overflow exists in the simulator module contained in the graphic editor 'V-SFT' versions prior to v6.1
Same weakness CWE-125 – Out-of-bounds Read
View allSame technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-18100
GHSA-h298-9cph-7xc6