Fuji Electric Tellus Lite V-Simulator (Update A)

Fuji Electric Tellus Lite V-Simulator contains multiple buffer overflow vulnerabilities (CVE-2024-11799, CVE-2024-11800, CVE-2024-11801, CVE-2024-11802, CVE-2024-11803) in the simulator component that could crash the application when a user opens a malicious file. VS5Sim (V-Simulator Ver5) is vulnerable to these issues. V-Simulator Ver6 includes screening to prevent exploitation of the first three CVEs. Fuji Electric released TELLUS V4.0.22.0 in May 2025 with fixes for CVE-2024-11802 and CVE-2024-11803, replacing V-Simulator Ver5 with Ver6 in new packages.

VS5Sim is a simulator of V-SFT Ver5 packaged with TELLUS Lite. VS6Sim screens incoming data to prevent malicious files from exploiting CVE-2024-11799, CVE-2024-11800, and CVE-2024-11801. Fuji Electric has replaced V-SFT Ver5 with V-SFT Ver6 in new versions of TELLUS lite. In May 2025, Fuji Electric released TELLUS V4.0.22.0 which fixes CVE-2024-11802 and CVE-2024-11803 in V-Simulator Ver6. Consequently, V-Simulator Ver5 will be removed from the package and replaced with V-Simulator Ver6. Users are encouraged to download the latest version. CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures. CISA recommends users take the following measures to protect themselves from social engineering attacks: Do not click web links or open attachments in unsolicited email messages. Refer to Recognizing and Avoiding Email Scams for more information on avoiding email scams. Refer to Avoiding Social Engineering and Phishing Attacks for more information on social engineering attacks. CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies. CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets. Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies. Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents. No known public exploitation specifically targeting these vulnerabilities have been reported to CISA at this time. These vulnerabilities are not exploitable remotely.