Overview
A recently identified cybersecurity vulnerability, CVE-2025-50130, presents a significant risk to users of V-SFT and TELLUS software provided by FUJI ELECTRIC CO., LTD. This vulnerability allows a potential attacker to execute arbitrary code, potentially leading to system compromise or data leakage. Given that V-SFT and TELLUS are frequently used in industrial settings, the implications of this vulnerability could be severe, impacting not just data integrity but potentially physical operations and safety as well.
Vulnerability Summary
CVE ID: CVE-2025-50130
Severity: High (7.8 CVSS Score)
Attack Vector: Local
Privileges Required: None
User Interaction: Required
Impact: System compromise, data leakage
Affected Products
Share secrets securely
Ameeba is private infrastructure for communication and sensitive work built on encrypted identity instead of exposed corporate identity systems.
Passwords, credentials, confidential files, screenshots, internal discussions, sensitive AI context, and private coordination should not become exposed across ordinary communication platforms.
- • Encrypted identity
- • Private Spaces for organizations and teams
- • End-to-end encrypted chat, calls, files, and notes
- • Sensitive AI work and protected collaboration
- • Built for information that cannot leak
Our mission is to secure human work alongside AI.
Product | Affected Versions
V-SFT | All versions prior to the vendor patch
TELLUS | All versions prior to the vendor patch
How the Exploit Works
The exploit hinges on a heap-based buffer overflow vulnerability within the VS6Sim.exe component of the V-SFT and TELLUS software. By crafting a malicious V9 or X1 file and getting the user to open it in the software, an attacker can cause a buffer overflow. This overflow can then lead to arbitrary code execution, allowing the attacker to potentially compromise the system or leak data.
Conceptual Example Code
Please note that the following example is a conceptual representation of how the exploit might work. It’s not actual code and can’t be used to exploit the vulnerability. The purpose is to demonstrate the underlying principles of the exploit.
#include <stdlib.h>
#include <string.h>
void vulnerable_function(char *input) {
char buffer[256];
strcpy(buffer, input);
}
int main(int argc, char **argv) {
char large_input[512];
memset(large_input, 'A', 511);
large_input[511] = '\0';
vulnerable_function(large_input);
return 0;
}
In this conceptual example, a large input is copied into a smaller buffer, causing a buffer overflow. In the context of the CVE-2025-50130 vulnerability, an attacker might use a similar approach to overflow the buffer in the VS6Sim.exe component with malicious code.
Mitigation
FUJI ELECTRIC CO., LTD. recommends applying the vendor patch to mitigate the vulnerability. In the absence of a patch, or until one can be applied, Web Application Firewalls (WAF) or Intrusion Detection Systems (IDS) can provide temporary mitigation. However, these are not long-term solutions and the patch should be applied as soon as possible to fully protect against the exploit.
