On June 24, 2026, the Zero Day Initiative published advisory ZDI-26-367 detailing a vulnerability in the Fuji Electric Tellus pcid64 driver that enables local privilege escalation to SYSTEM. The flaw, tracked as CVE-2026-8108 with a CVSS score of 7.8, was reported to the vendor on September 10, 2025. Fuji Electric has released a corrective update.
- The pcid64 driver installed by Fuji Electric Tellus grants all users read and write permissions on the kernel, exposing dangerous functions via Registry APIs
- An attacker with local access and limited privileges can escalate to SYSTEM and execute arbitrary code without user interaction (CVSS v3.1: 7.8 HIGH, vector AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
- The vulnerability affects the Critical Manufacturing sector; CISA associates the flaw with CWE-749 "Exposed Dangerous Method or Function"
- Exact technical details of the exposed Registry APIs are not public; specific affected versions have not been disclosed
Context: A Nine-Month Disclosure Cycle
CVE-2026-8108 follows a coordinated disclosure timeline typical of the ICS sector. Researcher Kim Myung-gyu, representing Trend Micro Zero Day Initiative, reported the flaw to CISA. Notification to vendor Fuji Electric occurred on September 10, 2025. Coordinated advisory release followed on June 24, 2026, after roughly nine months of responsible handling.
This window reflects the complexity of patching industrial systems, where updates must balance security and operational continuity. The Critical Manufacturing sector identified by CISA is especially sensitive to these dynamics: production lines dependent on HMIs (Human-Machine Interfaces) like Tellus cannot tolerate sudden downtime.
How the Attack Works: From Driver to SYSTEM Privileges
The flaw resides in the pcid64 driver, a kernel component added during Fuji Electric Tellus installation. As documented in the official CVE-2026-8108 record: "The installation of Fuji Tellus adds a driver to the kernel which grants all users read and write permissions." This configuration exposes dangerous functions through the Registry APIs.
According to the ZDI advisory, "the specific flaw exists within the pcid64 driver. The issue results from exposed dangerous functions. An attacker can leverage this vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM." The starting condition requires local execution capability with reduced privileges: this is not a remote attack; the vector is AV:L (Attack Vector Local) in the CVSS calculation.
The absence of user interaction (UI:N) makes the exploitation chain automatable once initial access is obtained. The CVSS v3.1 score of 7.8, with triple-high impact on confidentiality, integrity, and availability (C:H/I:H/A:H), classifies the vulnerability as HIGH.
"Successful exploitation of this vulnerability could allow an attacker to elevate privileges from user to system, which may then enable the attacker to cause a temporary denial of service, open files, or delete files." — CISA ICS Advisory ICSA-26-132-01
Why It Matters: Risk in the Industrial Sector
The CWE-749 classification "Exposed Dangerous Method or Function" indicates a recurring and particularly insidious programming pattern in kernel drivers. When a low-level component exposes powerful primitives without adequate access controls, the entire operating system security model is compromised.
In the case of Fuji Tellus, the granting of universal read/write permissions on the kernel driver eliminates the separation between user space and kernel space. This architecture, documented in the CVE-2026-8108 record, turns any limited initial compromise into total machine control.
The Critical Manufacturing sector, indicated by CISA as a primary target, presents characteristics that amplify risk. HMI systems often run on embedded Windows platforms with long update cycles. The presence of operators with limited physical or remote access, combined with the possibility of silent escalation, creates an extended attack surface.
The local attack vector (AV:L) should not lead to underestimating the threat. In industrial environments, initial access can stem from compromised engineering workstations, USB devices, or supply chain compromises. Once a foothold is established, CVE-2026-8108 enables completion of the objective without further interaction.
Immediate Actions
Contact Fuji Electric to verify availability of the corrective update issued for this vulnerability. Consult CISA advisory ICSA-26-132-01 for information related to the Critical Manufacturing sector.
Verify the presence of the pcid64 driver on systems running Fuji Electric Tellus. Identify any installations with excessive permissions on the kernel component.
Monitor access logs for anomalies in Registry API usage by unauthorized processes. Apply the principle of least privilege to accounts with local access to HMI systems.
Frequently Asked Questions
Can the vulnerability be exploited remotely?
No. The attack vector is local (AV:L in CVSS v3.1). The attacker must already have the ability to execute code on the target system with limited privileges.
What consequences are documented beyond escalation to SYSTEM?
According to the CISA advisory, privilege escalation may enable an attacker to cause a temporary denial of service, open files, or delete files.
Is a patch available?
Yes. Advisory ZDI-26-367 confirms that Fuji Electric has issued an update to address this vulnerability.
Which Fuji Electric Tellus versions are affected?
Specific versions have not been disclosed in the available documentation. Contact Fuji Electric directly for the mapping of affected versions.
Information verified against cited sources and current as of publication.
Sources
- http://www.zerodayinitiative.com/advisories/ZDI-26-367/
- https://www.cve.org/CVERecord?id=CVE-2026-8108
- https://www.cisa.gov/news-events/ics-advisories/icsa-26-132-01
- http://www.zerodayinitiative.com/advisories/published/
- http://www.zerodayinitiative.com/advisories/upcoming/
- https://www.trendmicro.com/