Fuji Electric Tellus pcid64 Driver Flaw (CVE-2026-8108) Enables Local Privilege Escalation to SYSTEM
A high-severity vulnerability in Fuji Electric Tellus allows local attackers to escalate privileges to SYSTEM via exposed dangerous methods in the pcid64 driver.
A coordinated disclosure from Zero Day Initiative and CISA has revealed a local privilege escalation vulnerability in Fuji Electric Tellus, tracked as CVE-2026-8108. The flaw resides in the pcid64 driver and exposes dangerous Registry API methods that let an attacker with low-privileged code execution escalate privileges to the SYSTEM level. With a CVSS score of 7.8, the vulnerability poses a significant risk to industrial environments where Tellus is used for human-machine interface (HMI) operations.
The specific flaw lies within the pcid64 driver's implementation of Registry APIs. The issue results from the exposure of dangerous functions that should not be accessible to unprivileged processes. An attacker who first obtains the ability to execute low-privileged code on the target system—perhaps through another vulnerability, a malicious insider, or social engineering—can leverage this exposed functionality to overwrite system-level registry entries or invoke privileged operations. This allows the attacker to execute arbitrary code in the context of SYSTEM, the highest privilege level on Windows-based industrial controllers.
Fuji Electric Tellus is widely deployed in manufacturing, energy, and infrastructure sectors for monitoring and controlling industrial processes. The presence of a privilege escalation vulnerability in its driver stack means that an initial foothold gained through a separate vector could be quickly escalated to full control over the control system host. While this is a local attack requiring prior code execution, such escalation chains are common in targeted attacks against operational technology (OT) environments.
The vulnerability was discovered by security researcher 김명규 and reported to Fuji Electric on September 10, 2025. The coordinated disclosure timeline culminated on June 24, 2026, with the simultaneous release of advisories from Zero Day Initiative (ZDI-26-367) and CISA (ICSA-26-132-01). Fuji Electric has issued a vendor-supplied patch to correct the vulnerability. Users are strongly advised to apply the update as soon as possible, especially in environments where Tellus workstations are accessible to authenticated users with limited privileges.
No active exploitation of CVE-2026-8108 has been reported at the time of disclosure, but the detailed public advisory provides sufficient technical information for motivated attackers to develop an exploit. The vulnerability highlights a persistent pattern in industrial control system software: driver-level components with overly permissive APIs that violate the principle of least privilege. As OT environments increasingly converge with IT networks, such local privilege escalation flaws become attractive stepping stones for attackers seeking to disrupt physical processes.
Beyond patching, organizations should restrict physical and remote access to Fuji Electric Tellus systems, enforce the principle of least privilege for user accounts, and monitor for unusual driver load events or registry modifications. The CISA advisory provides additional mitigation recommendations tailored to critical infrastructure environments. This disclosure serves as a reminder that even local vulnerabilities in industrial software must be taken seriously, as they can serve as the critical pivot point in a multi-stage attack on operational technology.