CVE-2025-66601
📋 TL;DR
A content sniffing vulnerability in Yokogawa's FAST/TOOLS software allows attackers to execute malicious scripts by exploiting unspecified MIME types. This affects industrial control systems using FAST/TOOLS packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB from versions R9.01 to R10.04.
💻 Affected Systems
- FAST/TOOLS RVSVRN
- FAST/TOOLS UNSVRN
- FAST/TOOLS HMIWEB
- FAST/TOOLS FTEES
- FAST/TOOLS HMIMOB
📦 What is this software?
Fast\/tools by Yokogawa
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of industrial control systems leading to operational disruption, safety incidents, or data exfiltration through script execution.
Likely Case
Unauthorized script execution leading to data manipulation, denial of service, or lateral movement within the control network.
If Mitigated
Limited impact if network segmentation and strict access controls prevent attacker access to vulnerable interfaces.
🎯 Exploit Status
Content sniffing attacks typically require minimal technical skill and can be performed through web browsers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R10.04 with security update or later versions
Vendor Advisory: https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf
Restart Required: Yes
Instructions:
1. Download the security update from Yokogawa support portal. 2. Apply the update following Yokogawa's installation guide. 3. Restart affected FAST/TOOLS services. 4. Verify the fix by checking version and testing functionality.
🔧 Temporary Workarounds
Content-Type Header Enforcement
allConfigure web servers or reverse proxies to enforce proper MIME types and disable content sniffing
For Apache: Header set X-Content-Type-Options "nosniff"
For Nginx: add_header X-Content-Type-Options "nosniff";
For IIS: Set X-Content-Type-Options header to "nosniff" in web.config
Network Segmentation
allIsolate FAST/TOOLS systems from untrusted networks and implement strict firewall rules
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems from untrusted networks
- Deploy web application firewalls (WAF) configured to block content sniffing attacks
🔍 How to Verify
Check if Vulnerable:
Check FAST/TOOLS version via system administration interface or configuration files. If version is between R9.01 and R10.04, the system is vulnerable.Check Version:
Check FAST/TOOLS version through the product's administration console or configuration files (location varies by installation).Verify Fix Applied:
Verify version is R10.04 with security update applied or later. Test by attempting content sniffing attacks against the interface.📡 Detection & Monitoring
Log Indicators:
- Unusual HTTP requests with manipulated content types
- Multiple failed attempts to access restricted resources
- Unexpected script execution in web interface logs
Network Indicators:
- HTTP requests with missing or manipulated Content-Type headers
- Traffic patterns suggesting content sniffing attempts
SIEM Query:
source="fast_tools_logs" AND (http_content_type="" OR http_content_type="text/plain" AND file_extension IN ("html","js","xml"))