CVE-2025-61860 is an out-of-bounds read vulnerability identified in the V-SFT software developed by FUJI ELECTRIC CO., LTD. and Hakko Electronics Co., Ltd., specifically in the VS6MemInIF!set_temp_type_default function. This vulnerability affects versions 6.2.7.0 and earlier. The flaw arises when the software processes specially crafted V-SFT files, causing it to read memory outside the intended buffer boundaries. This memory corruption can lead to multiple adverse outcomes: disclosure of sensitive information from memory, abnormal program termination (ABEND), and in some cases, arbitrary code execution. The CVSS v3.1 base score is 7.8, reflecting high severity, with attack vector classified as local (AV:L), low attack complexity (AC:L), no privileges required (PR:N), but requiring user interaction (UI:R). The scope remains unchanged (S:U), and the impact on confidentiality, integrity, and availability is high (C:H/I:H/A:H). No public exploits have been reported yet, but the vulnerability poses a significant risk, especially in industrial control or manufacturing environments where V-SFT is used for system configuration or control. The vulnerability's exploitation could allow attackers to compromise system integrity, leak sensitive operational data, or disrupt critical processes.

For European organizations, especially those in manufacturing, industrial automation, and critical infrastructure sectors, this vulnerability could have severe consequences. V-SFT is used in programmable logic controller (PLC) programming and industrial control systems, so exploitation could lead to unauthorized disclosure of sensitive operational data, disruption of manufacturing processes, or even full system compromise. This could result in production downtime, financial losses, intellectual property theft, and safety risks. Given the high impact on confidentiality, integrity, and availability, organizations relying on FUJI ELECTRIC's V-SFT software face risks to both operational continuity and data security. Additionally, the requirement for user interaction means phishing or social engineering could be vectors to trigger exploitation. The absence of known exploits currently provides a window for proactive mitigation before active attacks emerge.

European organizations should immediately identify all instances of V-SFT software version 6.2.7.0 and earlier within their environments. Since no official patches are listed yet, organizations should apply the following mitigations: restrict access to V-SFT software to trusted users only; implement strict file validation and scanning policies to prevent opening untrusted or unsolicited V-SFT files; enhance user awareness training to avoid opening suspicious files; employ application whitelisting and sandboxing to limit the impact of potential exploitation; monitor logs and system behavior for signs of abnormal termination or suspicious activity related to V-SFT; coordinate with FUJI ELECTRIC and Hakko Electronics for timely patch releases and apply updates as soon as they become available; consider network segmentation to isolate systems running V-SFT from broader enterprise networks to limit lateral movement in case of compromise.