OTPulse
FeedAboutContact

Fuji Electric Alpha5 SMART

Monitor7.8ICS-CERT ICSA-25-016-05Jan 16, 2025
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

A buffer overflow vulnerability in Fuji Electric Alpha5 SMART version 4.5 and earlier allows arbitrary code execution. Exploitation requires local access to a machine running the software and user interaction (CWE-121: stack-based buffer overflow). The vulnerability is not remotely exploitable. Fuji Electric has indicated this product line will not be patched and recommends users upgrade to Alpha7.

What this means
What could happen
An attacker with local access to a machine running Alpha5 SMART could execute arbitrary code, potentially altering process parameters or disrupting the control system's operation. Because there is no vendor fix available, exploitation cannot be patched.
Who's at risk
Energy sector operators running Fuji Electric Alpha5 SMART (version 4.5 or earlier) on engineering workstations or process control computers should prioritize this. Any facility using Alpha5 SMART for SCADA or power system control is affected.
How it could be exploited
An attacker must have local access to a workstation or system running Alpha5 SMART and trick a user into opening a malicious file or interaction (the CVSS vector shows User Interaction required). Once executed, the attacker gains code execution on that machine at the privilege level of the user running the software.
Prerequisites
  • Local access to a machine running Alpha5 SMART
  • User interaction required (e.g., opening a malicious file or interaction)
  • No authentication bypass required
no patch availablerequires local access but user interactionaffects control system engineering softwarevendor will not fix this product line
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (1)
ProductAffected VersionsFix Status
Alpha5 SMART: <=4.5≤ 4.5No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
HARDENINGImplement network segmentation: isolate Alpha5 SMART systems from business networks and the Internet
HARDENINGRestrict physical and remote access to workstations and systems running Alpha5 SMART to authorized personnel only
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade systems from Alpha5 SMART to Alpha7 (vendor-recommended alternative)
Mitigations - no patch available
0/1
Alpha5 SMART: <=4.5 has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIf remote access is required, enforce VPN with current patches and strong authentication
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/7cb04d88-082b-46ba-abe6-063361452f29
Fuji Electric Alpha5 SMART | CVSS 7.8 - OTPulse