PatchSiren cyber security CVE debrief
CVE-2025-7741 Yokogawa Electric Corporation CVE debrief
CVE-2025-7741 affects Yokogawa CENTUM VP and involves a hardcoded password for the PROG account used in CENTUM Authentication Mode. The advisory says an attacker may be able to log in as PROG, but exploitation already requires access to the HIS screen controls. By default, PROG has S1 permission (equivalent to OFFUSER), which reduces the likelihood of critical operations or configuration changes. Risk increases if PROG permissions were changed from the default.
- Vendor
- Yokogawa Electric Corporation
- Product
- Yokogawa CENTUM VP >=R5.01.00|<R5.04.20 >=R6.01.00|<R6.12.00 vR7.01.00
- CVSS
- MEDIUM 4
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-04-02
- Original CVE updated
- 2026-04-02
- Advisory published
- 2026-04-02
- Advisory updated
- 2026-04-02
Who should care
OT/ICS administrators, control-room engineers, and incident responders running Yokogawa CENTUM VP, especially sites using CENTUM Authentication Mode, exposed HIS screen controls, or customized PROG permissions.
Technical summary
The issue is a hardcoded password affecting the PROG user account in CENTUM Authentication Mode. CISA's advisory states that the default PROG permission is S1, equivalent to OFFUSER, so impact is generally limited when permissions remain unchanged. If PROG permissions have been modified, successful login as PROG could permit operations or configuration changes under those elevated rights. The advisory also notes that an attacker must already have access to the HIS screen controls, which constrains exposure.
Defensive priority
Medium: prioritize remediation for affected CENTUM VP systems that use CENTUM Authentication Mode, have accessible HIS screen controls, or have any non-default PROG permissions.
Recommended defensive actions
- For CENTUM VP R5.01.00 through <R5.04.20 and R6.01.00 through <R6.12.00, change the user authentication mode to Windows Authentication Mode per Yokogawa guidance.
- For CENTUM VP R7.01.00, apply patch software R7.01.10.
- Review PROG account permissions and restore the default S1 permission model if it has been changed.
- Restrict and monitor access to HIS screen controls and other operator-facing interfaces to reduce the chance of unauthorized PROG login attempts.
- Follow Yokogawa advisory YSAR-26-0003 and validate the remediation in an engineering/test environment before deploying to production.
Evidence notes
The supplied CISA CSAF advisory for ICSA-26-092-02 states that affected Yokogawa CENTUM VP products contain a hardcoded password for the PROG user account used in CENTUM Authentication Mode. It also states that exploitation requires prior access to HIS screen controls. The advisory further explains that PROG defaults to S1 permission (equivalent to OFFUSER), which lowers the practical impact unless permissions were changed. Remediations in the source corpus include switching affected R5/R6 systems to Windows Authentication Mode and applying R7.01.10 for R7.01.00.
Official resources
-
CVE-2025-7741 CVE record
CVE.org
-
CVE-2025-7741 NVD detail
NVD
-
Source item URL
cisa_csaf
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
-
Source reference
Reference
CISA republished the advisory on 2026-04-02 as ICSA-26-092-02, with the initial revision noted in the supplied source corpus. No Known Exploited Vulnerability entry was provided in the source data.