CVE-2025-66600 Yokogawa CVE debrief

Who should care

OT/ICS operators, control-system administrators, and security teams responsible for Yokogawa FAST/TOOLS, especially where the web interface is reachable over enterprise, remote-access, or other untrusted networks.

Technical summary

CISA’s CSAF advisory ICSA-26-041-01 states that Yokogawa FAST/TOOLS lacks HSTS. In practical terms, clients are not forced to remain on HTTPS, weakening protection against interception of web traffic. The supplied CVSS vector is CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N, indicating a remotely reachable issue with high confidentiality impact and limited integrity impact. Yokogawa’s remediation guidance is to update to revision R10.04, apply patch software CS_e12787, and then apply R10.04 SP3.

Defensive priority

High — prioritize for any FAST/TOOLS web server that is exposed beyond a tightly controlled management network.

Recommended defensive actions

• Apply Yokogawa’s stated remediation path: update to revision R10.04, apply patch software CS_e12787, and then apply R10.04 SP3.
• Limit access to the FAST/TOOLS web server to trusted management networks and required administrative paths only.
• Verify that HTTPS-only access is enforced where supported and that HSTS is enabled after remediation.
• Use segmentation, firewall rules, and other defense-in-depth controls to reduce the chance of interception on OT management traffic.
• Follow CISA’s ICS recommended practices and vendor security-program guidance for patching, hardening, backup/recovery, whitelisting, and related controls.

Evidence notes

This debrief is based on the supplied CISA CSAF advisory for ICSA-26-041-01 / CVE-2025-66600 and the associated official reference links. The advisory explicitly says FAST/TOOLS lacks HSTS and that a MITM attacker could sniff web communications. The vendor remediation steps were taken directly from the advisory. The supplied enrichment does not mark this as a CISA KEV item.

Official resources