CISA Issues Advisory for High-Severity Vulnerabilities in Fuji Electric HMI Products
Earlier this week, the US Cybersecurity and Infrastructure Security Agency (CISA) released an advisory informing industrial organizations that there is a critical flaw in SCADA/HMI products made by Fuji Electric, a Japanese electrical equipment company. This means that some organizations are facing a security threat due to potentially serious vulnerabilities. The impacted Fuji products are Tellus Lite V-Simulator and V-Server Lite. The products aim to help users monitor and operate plants from remote locations. In the advisory, the CISA states that the products are used worldwide and by US manufacturers.
The vulnerabilities were reported to Fuji Electric via Trend Micro’s bug bounty program the Zero Day Initiative and the CISA. The flaws are been described as uninitialized pointer issues, out of bounds read/write, and buffer overflow. The former can be exploited for arbitrary code execution, meaning that an attacker could gain access to a network simply by tricking the targeted user into clicking on a malicious file.