CVE-2025-66607
📋 TL;DR
This vulnerability in Yokogawa FAST/TOOLS involves insecure response header settings that could allow attackers to redirect users to malicious websites. It affects FAST/TOOLS packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB from versions R9.01 to R10.04. Industrial control system operators using these versions are at risk.
💻 Affected Systems
- FAST/TOOLS RVSVRN
- FAST/TOOLS UNSVRN
- FAST/TOOLS HMIWEB
- FAST/TOOLS FTEES
- FAST/TOOLS HMIMOB
📦 What is this software?
Fast\/tools by Yokogawa
⚠️ Risk & Real-World Impact
Worst Case
Attackers could redirect authenticated users to phishing sites to steal credentials or deliver malware, potentially compromising industrial control systems.
Likely Case
Users could be redirected to malicious websites that steal session cookies or credentials through phishing attacks.
If Mitigated
With proper network segmentation and user awareness training, impact would be limited to potential credential theft from individual users.
🎯 Exploit Status
Exploitation requires the attacker to be able to manipulate HTTP responses, but no public exploit code is available.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R10.04 with security patch or later versions
Vendor Advisory: https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf
Restart Required: Yes
Instructions:
1. Download the security patch from Yokogawa support portal. 2. Apply the patch according to vendor documentation. 3. Restart affected services. 4. Verify the fix by checking response headers.
🔧 Temporary Workarounds
Network Segmentation
allIsolate FAST/TOOLS systems from untrusted networks to prevent external attackers from reaching vulnerable services.
Web Application Firewall
allDeploy a WAF to inspect and sanitize HTTP response headers before they reach users.
🧯 If You Can't Patch
- Implement strict network segmentation to isolate vulnerable systems
- Deploy monitoring for unusual redirect patterns in web traffic
🔍 How to Verify
Check if Vulnerable:
Inspect HTTP response headers from FAST/TOOLS web interfaces for insecure redirect settings or missing security headers.Check Version:
Check FAST/TOOLS version through administrative interface or consult system documentation.Verify Fix Applied:
Verify that response headers no longer contain insecure redirect settings and include proper security headers after patching.📡 Detection & Monitoring
Log Indicators:
- Unusual redirect patterns in web server logs
- Multiple failed authentication attempts followed by redirects
Network Indicators:
- HTTP responses with suspicious Location headers
- Unexpected redirects to external domains
SIEM Query:
web.url contains "redirect" AND (web.status_code = 301 OR web.status_code = 302) AND NOT web.url contains "expected-domain.com"