Fuji Electric Smart Editor

Plan PatchCVSS 7.8ICS-CERT ICSA-25-168-04Jun 17, 2025

Fuji ElectricEnergy

Attack path

Attack VectorLocal

Auth RequiredNone

ComplexityLow

User InteractionRequired

Summary

Fuji Electric Smart Editor versions 1.0.1.0 and earlier contain out-of-bounds read and write vulnerabilities (CWE-125, CWE-787, CWE-121) that allow arbitrary code execution. These vulnerabilities are not exploitable remotely and require local access to the machine running Smart Editor. Exploitation could allow an attacker to execute arbitrary code with user privileges on engineering workstations.

What this means

What could happen

An attacker with local access to a machine running Smart Editor could execute arbitrary code with the privileges of the logged-in user, potentially compromising engineering workstations and the configurations they manage for Fuji Electric control systems.

Who's at risk

Fuji Electric engineers and control system integrators using Smart Editor on Windows workstations. This affects energy sector organizations (electric utilities, power generation facilities) that use Fuji Electric programmable controllers and rely on Smart Editor for configuration and maintenance.

How it could be exploited

An attacker would need local access to a Windows machine where Smart Editor is installed. They could exploit memory corruption vulnerabilities (out-of-bounds read/write) by providing malicious input to the application, triggering code execution in the context of the user running Smart Editor.

Prerequisites

Local access to the machine running Smart Editor
User must be running or interacting with Smart Editor application
Fuji Electric Smart Editor version 1.0.1.0 or earlier

Low complexity attackMemory corruption vulnerability (buffer overflow)Affects engineering environment with access to critical control configurations

Exploitability

Unlikely to be exploited — EPSS score 0.1%

Affected products (1)

ProductAffected VersionsFix Status

Smart Editor: <=1.0.1.0≤ 1.0.1.01.0.2.0

Remediation & Mitigation

0/4

Do now

0/1

HARDENINGRestrict physical and network access to engineering workstations running Smart Editor to authorized personnel only

Schedule — requires maintenance window

0/2

Patching may require device reboot — plan for process interruption

HOTFIXUpdate Smart Editor to version 1.0.2.0 or later

HARDENINGImplement USB restrictions and removable media controls on machines running Smart Editor to limit local attack vectors

Long-term hardening

0/1

HARDENINGIsolate engineering workstations and development networks from business networks using firewalls and network segmentation

CVEs (3)

CVE-2025-32412 CVE-2025-41413 CVE-2025-41388

View full CISA ICS-CERT advisory

↑↓ Navigate · Esc Close

API: /api/v1/advisories/153ff4c1-779d-46a6-859f-89f7abb2bee4

Get OT security insights every Tuesday

Advisory breakdowns, a weekly summary, and incident analyses for the people actually defending OT environments. Free, no account required.