CVE-2025-66606 – A URL encoding vulnerability in Yokogawa's FAST... (How to Fix)

Q: What is the severity of CVE-2025-66606?

CVE-2025-66606 has a CVSS score of 9.6 (CRITICAL). A URL encoding vulnerability in Yokogawa's FAST/TOOLS industrial control system allows attackers to manipulate web pages or execute malicious scripts. This affects multiple components (RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) in versions R9.01 through R10.04. Industrial operators using these systems are at risk of web-based attacks.

📋 TL;DR

A URL encoding vulnerability in Yokogawa's FAST/TOOLS industrial control system allows attackers to manipulate web pages or execute malicious scripts. This affects multiple components (RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) in versions R9.01 through R10.04. Industrial operators using these systems are at risk of web-based attacks.

💻 Affected Systems

Products:

FAST/TOOLS RVSVRN
FAST/TOOLS UNSVRN
FAST/TOOLS HMIWEB
FAST/TOOLS FTEES
FAST/TOOLS HMIMOB

Versions: R9.01 to R10.04

Operating Systems: Not specified in advisory

Default Config Vulnerable: ⚠️ Yes

Notes: Multiple packages/components affected; industrial control system software

📦 What is this software?

Fast\/tools by Yokogawa

View all CVEs affecting Fast\/tools →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete compromise of HMI/web interfaces allowing script execution, data manipulation, and potential control system impact

🟠

Likely Case

Web page tampering, session hijacking, or limited script execution affecting user interfaces

🟢

If Mitigated

Limited impact if proper network segmentation and web security controls are implemented

🌐 Internet-Facing: HIGH - Direct web interface exposure allows remote exploitation

🏢 Internal Only: MEDIUM - Requires internal network access but could spread within control network

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

URL encoding vulnerabilities typically require minimal technical skill to exploit via web interfaces

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: R10.04 with security updates or later versions

Vendor Advisory: https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf

Restart Required: Yes

Instructions:

1. Download security updates from Yokogawa support portal. 2. Apply patches to affected FAST/TOOLS components. 3. Restart affected services. 4. Verify functionality.

🔧 Temporary Workarounds

Network Segmentation

all

Isolate FAST/TOOLS systems from untrusted networks and internet

Web Application Firewall

all

Deploy WAF with URL encoding validation rules

🧯 If You Can't Patch

Implement strict network access controls to limit web interface exposure
Monitor for unusual web traffic patterns and URL manipulation attempts

🔍 How to Verify

Check if Vulnerable:

Check FAST/TOOLS version against affected range R9.01-R10.04

Check Version:

Check version through FAST/TOOLS administration interface or system documentation

Verify Fix Applied:

Verify installation of security updates from Yokogawa and version is R10.04+ with patches

📡 Detection & Monitoring

Log Indicators:

Unusual URL patterns in web server logs
Multiple failed URL encoding attempts
Suspicious web requests to FAST/TOOLS interfaces

Network Indicators:

Malformed URLs targeting FAST/TOOLS web services
Script injection patterns in HTTP traffic

SIEM Query:

web.url contains "fast/tools" AND (web.url contains encoded characters OR web.url length abnormal)

📊 Metadata

CVE ID: CVE-2025-66606

CVSS v3 Score: 9.6 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

CWE: CWE-86

EPSS Score: 0.05% exploit probability (14.4th percentile)

Published: February 9, 2026

Last Updated: March 5, 2026

🔗 References

https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2025-66606, you might also want to check these: