Details of VAR-202602-0257

ID

VAR-202602-0257

CVE

CVE-2025-66606

TITLE

Yokogawa Electric FAST/TOOLS Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

DESCRIPTION

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly encode URLs. An attacker could tamper with web pages or execute malicious scripts. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04. The expected impact varies depending on the vulnerability, but could include the following: CVE-2025-66594 The information in the message displayed on the error page could be used for other attacks. CVE-2025-66595 If a user accessed a specially crafted link sent by an attacker, their account could be spoofed. CVE-2025-66596 If an attacker inserts an invalid host header, they may be redirected to a malicious host. CVE-2025-66597 Weak cryptographic algorithms are available, allowing attackers to Web Communications with the server may be decrypted. CVE-2025-66598 old SSL/TLS version available, allowing attackers to Web Communications with the server may be decrypted. CVE-2025-66599Web The physical path displayed on the page can be used for other attacks. CVE-2025-66600 Attackers can perform man-in-the-middle attacks ( Man-in-the-Middle Attack ) is performed, Web There is a risk that communications with the server may be intercepted. CVE-2025-66602Web The server IP To accept access by address, random IP By address Web Malware looking for servers can be introduced into your network. CVE-2025-66603Web The server accepted OPTIONS The information in the method sage can be used in other attacks. CVE-2025-66604Web The library version information displayed on the page can be used for other attacks. CVE-2025-66605Web On the page Autocomplete There are input fields that have the attribute enabled, which may cause the input to be saved in the browser. CVE-2025-66607 Insecure response headers may allow attackers to redirect you to malicious sites. CVE-2025-66608URL Due to insufficient validation, if a crafted request is received by an attacker, Web There is a possibility that files stored on the server may be stolen. For more information, please refer to the information provided by the developer

Trust: 1.62

sources: NVD: CVE-2025-66606 // JVNDB: JVNDB-2026-002779

AFFECTED PRODUCTS

vendor:	yokogawa	model:	fast\/tools	scope:	gte	version:	r9.01	Trust: 1.0
vendor:	yokogawa	model:	fast\/tools	scope:	lte	version:	r10.04	Trust: 1.0
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	package: rvsvrn , unsvrn , hmiweb , ftees , hmimob version: r9.01 to r10.04 to	Trust: 0.8
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66606

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-66606
value:	CRITICAL
Trust: 1.0
7168b535-132a-4efe-a076-338f829b2eb9:	CVE-2025-66606
value:	LOW
Trust: 1.0

nvd@nist.gov:	CVE-2025-66606
baseSeverity:	CRITICAL
baseScore:	9.6
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	REQUIRED
scope:	CHANGED
confidentialityImpact:	HIGH
integrityImpact:	HIGH
availabilityImpact:	HIGH
exploitabilityScore:	2.8
impactScore:	6.0
version:	3.1
Trust: 1.0

sources: NVD: CVE-2025-66606 // NVD: CVE-2025-66606

PROBLEMTYPE DATA

problemtype:	CWE-86	Trust: 1.0
problemtype:	Information leakage due to error message (CWE-209) [ others ]	Trust: 0.8
problemtype:	path traversal (/../filename)(CWE-29) [ others ]	Trust: 0.8
problemtype:	During authentication IP Address Dependency (CWE-291) [ others ]	Trust: 0.8
problemtype:	Sending important information in clear text (CWE-319) [ others ]	Trust: 0.8
problemtype:	Use of incomplete or dangerous cryptographic algorithms (CWE-327) [ others ]	Trust: 0.8
problemtype:	Cross-site request forgery (CWE-352) [ others ]	Trust: 0.8
problemtype:	Improperly implemented security checks (CWE-358) [ others ]	Trust: 0.8
problemtype:	Disclosure of Personal Information to Unauthorized Actors (CWE-359) [ others ]	Trust: 0.8
problemtype:	Leakage of important information to unauthorized control areas (CWE-497) [ others ]	Trust: 0.8
problemtype:	Open redirect (CWE-601) [ others ]	Trust: 0.8
problemtype:	Web Improper sanitization of invalid characters in in-page identifiers (CWE-86) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66606

PATCH

title:

YSAR-26-0001

url:

https://www.yokogawa.co.jp/library/resources/white-papers/yokogawa-security-advisory-report-list/

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

EXTERNAL IDS

db:	NVD	id:	CVE-2025-66606	Trust: 1.8
db:	ICS CERT	id:	ICSA-26-041-01	Trust: 0.8
db:	JVN	id:	JVNVU97860540	Trust: 0.8
db:	JVNDB	id:	JVNDB-2026-002779	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66606

REFERENCES

url:	https://web-material3.yokogawa.com/1/39206/files/ysar-26-0001-e.pdf	Trust: 1.0
url:	https://jvn.jp/vu/jvnvu97860540/index.html	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-01	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66606

SOURCES

db:	JVNDB	id:	JVNDB-2026-002779
db:	NVD	id:	CVE-2025-66606

LAST UPDATE DATE

2026-03-05T19:41:57.160000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-17T02:14:00
db:	NVD	id:	CVE-2025-66606	date:	2026-03-05T12:38:25.450

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-09T00:00:00
db:	NVD	id:	CVE-2025-66606	date:	2026-02-09T04:15:49.933