CVE-2025-66598
📋 TL;DR
This vulnerability in Yokogawa's FAST/TOOLS software allows attackers to potentially decrypt communications by exploiting support for outdated SSL/TLS versions. It affects FAST/TOOLS packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB from versions R9.01 to R10.04.
💻 Affected Systems
- FAST/TOOLS RVSVRN
- FAST/TOOLS UNSVRN
- FAST/TOOLS HMIWEB
- FAST/TOOLS FTEES
- FAST/TOOLS HMIMOB
📦 What is this software?
Fast\/tools by Yokogawa
⚠️ Risk & Real-World Impact
Worst Case
Full decryption of sensitive industrial control system communications, leading to data theft, manipulation of control commands, or complete system compromise.
Likely Case
Interception and decryption of web server communications, potentially exposing credentials, configuration data, and operational information.
If Mitigated
Limited impact with proper network segmentation and monitoring, though communication confidentiality remains compromised.
🎯 Exploit Status
Exploitation requires man-in-the-middle position but uses well-known SSL/TLS downgrade attacks.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R10.04 with security update or later versions
Vendor Advisory: https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf
Restart Required: Yes
Instructions:
1. Download security update from Yokogawa support portal. 2. Apply update to affected FAST/TOOLS packages. 3. Restart affected services. 4. Verify SSL/TLS configuration only allows secure protocols (TLS 1.2+).
🔧 Temporary Workarounds
Disable Weak SSL/TLS Protocols
allConfigure web servers to only accept TLS 1.2 or higher, disabling SSLv3, TLS 1.0, and TLS 1.1.
Configuration varies by web server - consult Yokogawa documentation for FAST/TOOLS specific settings
Network Segmentation
allIsolate FAST/TOOLS servers from untrusted networks and implement strict firewall rules.
🧯 If You Can't Patch
- Implement network-level SSL/TLS inspection and termination using modern protocols
- Monitor for SSL/TLS downgrade attempts and unusual network traffic patterns
🔍 How to Verify
Check if Vulnerable:
Use SSL/TLS scanning tools (like testssl.sh or Nmap scripts) against FAST/TOOLS web interfaces to check for support of weak protocols.Check Version:
Check FAST/TOOLS version through administrative interface or consult system documentationVerify Fix Applied:
Rescan with SSL/TLS testing tools to confirm only TLS 1.2+ is supported, and check FAST/TOOLS version is R10.04 with security update or later.📡 Detection & Monitoring
Log Indicators:
- SSL/TLS protocol version errors
- Failed connection attempts followed by lower protocol connections
- Unusual SSL/TLS handshake patterns
Network Indicators:
- SSLv3 or TLS 1.0/1.1 handshakes to FAST/TOOLS servers
- Man-in-the-middle attack patterns in network traffic
SIEM Query:
source_ip=FAST/TOOLS_server AND (tls.version="SSLv3" OR tls.version="TLSv1.0" OR tls.version="TLSv1.1")