Published:2025/10/08  Last Updated:2025/10/08

JVNVU#90008453
Multiple vulnerabilities in FUJI Electric V-SFT

Overview

V-SFT provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities.

Products Affected

  • V-SFT v6.2.7.0 and earlier

Description

V-SFT provided by FUJI ELECTRIC CO., LTD. contains multiple vulnerabilities listed below. 。

  • Stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom (CWE-121)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61856
  • Out-of-bounds write in VS6ComFile!CItemExChange::WinFontDynStrCheck (CWE-787)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61857
  • Out-of-bounds write in VS6ComFile!set_AnimationItem (CWE-787)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61858
  • Out-of-bounds write in VS6ComFile!CItemDraw::is_motion_tween (CWE-787)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61859
  • Out-of-bounds read in VS6MemInIF!set_temp_type_default (CWE-125)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61860
  • Out-of-bounds read in VS6ComFile!load_link_inf (CWE-125)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61861
  • Out-of-bounds read in VS6ComFile!get_ovlp_element_size (CWE-125)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61862
  • Out-of-bounds read in VS6ComFile!CSaveData::delete_mem (CWE-125)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61863
  • Use after free in VS6ComFile!load_link_inf (CWE-416)
    • CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N Base Score 8.4
    • CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H Base Score 7.8
    • CVE-2025-61864

Impact

Opening specially crafted V-SFT files may lead to the following impacts:

  • Information disclosure
  • Affected system's abnormal end (ABEND)
  • Arbitrary code execution

Solution

Update the software
Update the software to the latest version according to the information provided by the developer.

Vendor Status

Vendor Link
FUJI ELECTRIC CO., LTD. / Hakko Electronics Co., Ltd. Improvement Information No. 25A0H08

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Michael Heinzl reported these vulnerabilities to JPCERT/CC.
JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2025-61856
CVE-2025-61857
CVE-2025-61858
CVE-2025-61859
CVE-2025-61860
CVE-2025-61861
CVE-2025-61862
CVE-2025-61863
CVE-2025-61864
JVN iPedia