Fuji Electric Tellus pcid64 Driver Flaw (CVE-2026-8108) Enables Local Privilege Escalation to SYSTEM

A high-severity vulnerability in Fuji Electric Tellus, tracked as CVE-2026-8108 with a CVSS score of 7.8, allows local attackers to delete arbitrary files and escalate privileges to SYSTEM. The flaw resides in the pcid64 driver, which exposes dangerous methods through file APIs. An attacker must first gain the ability to execute low-privileged code on the target system to exploit this vulnerability.

The specific issue lies within calls to methods in the pcid64 driver, resulting in access to exposed dangerous functions. This allows an attacker to leverage the vulnerability to escalate privileges and execute arbitrary code in the context of SYSTEM. The vulnerability was disclosed by Zero Day Initiative as ZDI-26-366.

Fuji Electric has issued an update to correct this vulnerability. More details can be found in the CISA advisory ICSA-26-132-01. The disclosure timeline shows the vulnerability was reported to the vendor on October 9, 2025, with coordinated public release on June 24, 2026.

This vulnerability affects Fuji Electric Tellus, a human-machine interface (HMI) software widely used in industrial control systems. The ability to delete arbitrary files and escalate privileges to SYSTEM could allow an attacker to compromise the integrity and availability of critical industrial processes.

Organizations using Fuji Electric Tellus should apply the vendor-supplied update immediately. As a mitigation, administrators should restrict local access to systems running the affected software and follow the principle of least privilege to limit the potential for exploitation.

The disclosure was credited to researcher 김명규. This vulnerability highlights the ongoing risks in industrial control system software, where local privilege escalation flaws can have severe consequences for critical infrastructure.