Details of VAR-202602-0255

ID

VAR-202602-0255

CVE

CVE-2025-66601

TITLE

Yokogawa Electric FAST/TOOLS Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

DESCRIPTION

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not specify MIME types. When an attacker performs a content sniffing attack, malicious scripts could be executed. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04. The expected impact varies depending on the vulnerability, but could include the following: CVE-2025-66594 The information in the message displayed on the error page could be used for other attacks. CVE-2025-66595 If a user accessed a specially crafted link sent by an attacker, their account could be spoofed. CVE-2025-66596 If an attacker inserts an invalid host header, they may be redirected to a malicious host. CVE-2025-66597 Weak cryptographic algorithms are available, allowing attackers to Web Communications with the server may be decrypted. CVE-2025-66598 old SSL/TLS version available, allowing attackers to Web Communications with the server may be decrypted. CVE-2025-66599Web The physical path displayed on the page can be used for other attacks. CVE-2025-66600 Attackers can perform man-in-the-middle attacks ( Man-in-the-Middle Attack ) is performed, Web There is a risk that communications with the server may be intercepted. CVE-2025-66602Web The server IP To accept access by address, random IP By address Web Malware looking for servers can be introduced into your network. CVE-2025-66603Web The server accepted OPTIONS The information in the method sage can be used in other attacks. CVE-2025-66604Web The library version information displayed on the page can be used for other attacks. CVE-2025-66605Web On the page Autocomplete There are input fields that have the attribute enabled, which may cause the input to be saved in the browser. CVE-2025-66607 Insecure response headers may allow attackers to redirect you to malicious sites. CVE-2025-66608URL Due to insufficient validation, if a crafted request is received by an attacker, Web There is a possibility that files stored on the server may be stolen. For more information, please refer to the information provided by the developer

Trust: 1.62

sources: NVD: CVE-2025-66601 // JVNDB: JVNDB-2026-002779

AFFECTED PRODUCTS

vendor:	yokogawa	model:	fast\/tools	scope:	lte	version:	r10.04	Trust: 1.0
vendor:	yokogawa	model:	fast\/tools	scope:	gte	version:	r9.01	Trust: 1.0
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	package: rvsvrn , unsvrn , hmiweb , ftees , hmimob version: r9.01 to r10.04 to	Trust: 0.8
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66601

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-66601
value:	MEDIUM
Trust: 1.0
7168b535-132a-4efe-a076-338f829b2eb9:	CVE-2025-66601
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2026-002779
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2025-66601
baseSeverity:	MEDIUM
baseScore:	6.1
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	2.8
impactScore:	2.7
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-002779
baseSeverity:	MEDIUM
baseScore:	6.5
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66601 // NVD: CVE-2025-66601

PROBLEMTYPE DATA

problemtype:	CWE-358	Trust: 1.0
problemtype:	Information leakage due to error message (CWE-209) [ others ]	Trust: 0.8
problemtype:	path traversal (/../filename)(CWE-29) [ others ]	Trust: 0.8
problemtype:	During authentication IP Address Dependency (CWE-291) [ others ]	Trust: 0.8
problemtype:	Sending important information in clear text (CWE-319) [ others ]	Trust: 0.8
problemtype:	Use of incomplete or dangerous cryptographic algorithms (CWE-327) [ others ]	Trust: 0.8
problemtype:	Cross-site request forgery (CWE-352) [ others ]	Trust: 0.8
problemtype:	Improperly implemented security checks (CWE-358) [ others ]	Trust: 0.8
problemtype:	Disclosure of Personal Information to Unauthorized Actors (CWE-359) [ others ]	Trust: 0.8
problemtype:	Leakage of important information to unauthorized control areas (CWE-497) [ others ]	Trust: 0.8
problemtype:	Open redirect (CWE-601) [ others ]	Trust: 0.8
problemtype:	Web Improper sanitization of invalid characters in in-page identifiers (CWE-86) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66601

PATCH

title:

YSAR-26-0001

url:

https://www.yokogawa.co.jp/library/resources/white-papers/yokogawa-security-advisory-report-list/

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

EXTERNAL IDS

db:	NVD	id:	CVE-2025-66601	Trust: 1.8
db:	ICS CERT	id:	ICSA-26-041-01	Trust: 0.8
db:	JVN	id:	JVNVU97860540	Trust: 0.8
db:	JVNDB	id:	JVNDB-2026-002779	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66601

REFERENCES

url:	https://web-material3.yokogawa.com/1/39206/files/ysar-26-0001-e.pdf	Trust: 1.0
url:	https://jvn.jp/vu/jvnvu97860540/index.html	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-01	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66601

SOURCES

db:	JVNDB	id:	JVNDB-2026-002779
db:	NVD	id:	CVE-2025-66601

LAST UPDATE DATE

2026-03-05T19:41:57.198000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-17T02:14:00
db:	NVD	id:	CVE-2025-66601	date:	2026-03-05T13:35:24.200

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-09T00:00:00
db:	NVD	id:	CVE-2025-66601	date:	2026-02-09T04:15:49.297