CVE-2025-66602
📋 TL;DR
This vulnerability in Yokogawa's FAST/TOOLS allows web servers to be accessed directly by IP address, making them susceptible to automated scanning and potential worm attacks. Affected systems include FAST/TOOLS packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB running versions R9.01 through R10.04.
💻 Affected Systems
- FAST/TOOLS RVSVRN
- FAST/TOOLS UNSVRN
- FAST/TOOLS HMIWEB
- FAST/TOOLS FTEES
- FAST/TOOLS HMIMOB
📦 What is this software?
Fast\/tools by Yokogawa
⚠️ Risk & Real-World Impact
Worst Case
Automated worms could compromise multiple systems, leading to industrial control system disruption, data theft, or ransomware deployment across the network.
Likely Case
Systems become targets for automated scanning and reconnaissance, potentially leading to further exploitation if other vulnerabilities exist.
If Mitigated
With proper network segmentation and access controls, impact is limited to reconnaissance attempts without successful exploitation.
🎯 Exploit Status
The vulnerability itself enables discovery and access, but actual exploitation would require additional vulnerabilities in the web services.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R10.04 with security patch or later versions
Vendor Advisory: https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf
Restart Required: Yes
Instructions:
1. Download the security patch from Yokogawa support portal. 2. Apply patch according to vendor documentation. 3. Restart affected services. 4. Verify patch application.
🔧 Temporary Workarounds
Network Access Control
allRestrict network access to FAST/TOOLS web servers using firewalls or network segmentation
Host-based Firewall
allConfigure host firewall to only allow trusted IP addresses to access web server ports
🧯 If You Can't Patch
- Implement strict network segmentation to isolate FAST/TOOLS systems from untrusted networks
- Deploy intrusion detection systems to monitor for scanning activity and unauthorized access attempts
🔍 How to Verify
Check if Vulnerable:
Check FAST/TOOLS version and compare against affected range R9.01-R10.04. Verify web server is accessible via IP address from untrusted networks.Check Version:
Check version through FAST/TOOLS administration interface or consult system documentationVerify Fix Applied:
After patching, attempt to access web server via IP address from an unauthorized network segment - access should be blocked or restricted.📡 Detection & Monitoring
Log Indicators:
- Multiple failed connection attempts from various IPs
- Unusual scanning patterns in web server logs
- Access attempts from non-authorized network ranges
Network Indicators:
- Port scanning activity targeting FAST/TOOLS web ports (typically 80/443)
- Traffic from unknown IPs to industrial control system networks
SIEM Query:
source_ip NOT IN (trusted_ips) AND dest_port IN (80,443,8080,8443) AND dest_ip IN (fast_tools_servers)