[Japanese]

JVNDB-2025-015451

Multiple vulnerabilities in FUJI Electric V-SFT

Overview

V-SFT provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below.

  • Stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom (CWE-121) - CVE-2025-61856


  • Out-of-bounds write in VS6ComFile!CItemExChange::WinFontDynStrCheck (CWE-787) - CVE-2025-61857


  • Out-of-bounds write in VS6ComFile!set_AnimationItem (CWE-787) - CVE-2025-61858


  • Out-of-bounds write in VS6ComFile!CItemDraw::is_motion_tween (CWE-787) - CVE-2025-61859


  • Out-of-bounds read in VS6MemInIF!set_temp_type_default (CWE-125) - CVE-2025-61860


  • Out-of-bounds read in VS6ComFile!load_link_inf (CWE-125) - CVE-2025-61861
    • <

  • Out-of-bounds read in VS6ComFile!get_ovlp_element_size (CWE-125) - CVE-2025-61862


  • Out-of-bounds read in VS6ComFile!CSaveData::delete_mem (CWE-125) - CVE-2025-61863


  • Use after free in VS6ComFile!load_link_inf (use-after-free) (CWE-416) - CVE-2025-61864



Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61856

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61857

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61858

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61859

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61860

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61861

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61862

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61863

CVSS V3 Severity:
Base Metrics7.8 (High) [Other]
  • Attack Vector: Local
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
    • Availability Impact: High
The above CVSS base scores have been assigned for CVE-2025-61864
Affected Products


Fuji Electric Co., Ltd.
  • V-SFT v6.2.7.0 and earlier

Impact

Opening specially crafted V-SFT files may lead to the following impacts:

  • Information disclosure

  • Affected system's abnormal end (ABEND)

  • Arbitrary code execution

Solution

[Update the software]
Update the software to the latest version according to the information provided by the developer.
Vendor Information

Fuji Electric Co., Ltd.
CWE (What is CWE?)

  1. Stack-based Buffer Overflow(CWE-121) [Other]
  2. Out-of-bounds Read(CWE-125) [Other]
  3. Use After Free(CWE-416) [Other]
  4. Out-of-bounds Write(CWE-787) [Other]
CVE (What is CVE?)

  1. CVE-2025-61856
  2. CVE-2025-61857
  3. CVE-2025-61858
  4. CVE-2025-61859
  5. CVE-2025-61860
  6. CVE-2025-61861
  7. CVE-2025-61862
  8. CVE-2025-61863
  9. CVE-2025-61864
References

  1. JVN : JVNVU#90008453
Revision History

  • [2025/10/09]
      Web page was published

Date Public2025/10/08
Date First Published2025/10/09
Date Last Updated2025/10/09