Details of VAR-202602-0259

ID

VAR-202602-0259

CVE

CVE-2025-66605

TITLE

Yokogawa Electric FAST/TOOLS Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

DESCRIPTION

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Since there are input fields on this webpage with the autocomplete attribute enabled, the input content could be saved in the browser the user is using. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04. The expected impact varies depending on the vulnerability, but could include the following: CVE-2025-66594 The information in the message displayed on the error page could be used for other attacks. CVE-2025-66595 If a user accessed a specially crafted link sent by an attacker, their account could be spoofed. CVE-2025-66596 If an attacker inserts an invalid host header, they may be redirected to a malicious host. CVE-2025-66597 Weak cryptographic algorithms are available, allowing attackers to Web Communications with the server may be decrypted. CVE-2025-66598 old SSL/TLS version available, allowing attackers to Web Communications with the server may be decrypted. CVE-2025-66599Web The physical path displayed on the page can be used for other attacks. CVE-2025-66600 Attackers can perform man-in-the-middle attacks ( Man-in-the-Middle Attack ) is performed, Web There is a risk that communications with the server may be intercepted. CVE-2025-66601 by the attacker Content Sniffing If an attack is successful, malicious scripts may be executed. CVE-2025-66602Web The server IP To accept access by address, random IP By address Web Malware looking for servers can be introduced into your network. CVE-2025-66603Web The server accepted OPTIONS The information in the method sage can be used in other attacks. CVE-2025-66604Web The library version information displayed on the page can be used for other attacks. CVE-2025-66606URL Due to poor encoding process, Web Pages may be defaced or malicious scripts may be executed. CVE-2025-66607 Insecure response headers may allow attackers to redirect you to malicious sites. CVE-2025-66608URL Due to insufficient validation, if a crafted request is received by an attacker, Web There is a possibility that files stored on the server may be stolen. For more information, please refer to the information provided by the developer

Trust: 1.62

sources: NVD: CVE-2025-66605 // JVNDB: JVNDB-2026-002779

AFFECTED PRODUCTS

vendor:	yokogawa	model:	fast\/tools	scope:	gte	version:	r9.01	Trust: 1.0
vendor:	yokogawa	model:	fast\/tools	scope:	lte	version:	r10.04	Trust: 1.0
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	package: rvsvrn , unsvrn , hmiweb , ftees , hmimob version: r9.01 to r10.04 to	Trust: 0.8
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66605

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-66605
value:	MEDIUM
Trust: 1.0
7168b535-132a-4efe-a076-338f829b2eb9:	CVE-2025-66605
value:	LOW
Trust: 1.0

nvd@nist.gov:	CVE-2025-66605
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	NONE
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0

sources: NVD: CVE-2025-66605 // NVD: CVE-2025-66605

PROBLEMTYPE DATA

problemtype:	CWE-359	Trust: 1.0
problemtype:	Information leakage due to error message (CWE-209) [ others ]	Trust: 0.8
problemtype:	path traversal (/../filename)(CWE-29) [ others ]	Trust: 0.8
problemtype:	During authentication IP Address Dependency (CWE-291) [ others ]	Trust: 0.8
problemtype:	Sending important information in clear text (CWE-319) [ others ]	Trust: 0.8
problemtype:	Use of incomplete or dangerous cryptographic algorithms (CWE-327) [ others ]	Trust: 0.8
problemtype:	Cross-site request forgery (CWE-352) [ others ]	Trust: 0.8
problemtype:	Improperly implemented security checks (CWE-358) [ others ]	Trust: 0.8
problemtype:	Disclosure of Personal Information to Unauthorized Actors (CWE-359) [ others ]	Trust: 0.8
problemtype:	Leakage of important information to unauthorized control areas (CWE-497) [ others ]	Trust: 0.8
problemtype:	Open redirect (CWE-601) [ others ]	Trust: 0.8
problemtype:	Web Improper sanitization of invalid characters in in-page identifiers (CWE-86) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66605

PATCH

title:

YSAR-26-0001

url:

https://www.yokogawa.co.jp/library/resources/white-papers/yokogawa-security-advisory-report-list/

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

EXTERNAL IDS

db:	NVD	id:	CVE-2025-66605	Trust: 1.8
db:	ICS CERT	id:	ICSA-26-041-01	Trust: 0.8
db:	JVN	id:	JVNVU97860540	Trust: 0.8
db:	JVNDB	id:	JVNDB-2026-002779	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66605

REFERENCES

url:	https://web-material3.yokogawa.com/1/39206/files/ysar-26-0001-e.pdf	Trust: 1.0
url:	https://jvn.jp/vu/jvnvu97860540/index.html	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-01	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66605

SOURCES

db:	JVNDB	id:	JVNDB-2026-002779
db:	NVD	id:	CVE-2025-66605

LAST UPDATE DATE

2026-03-05T19:41:57.137000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-17T02:14:00
db:	NVD	id:	CVE-2025-66605	date:	2026-03-05T12:47:52.460

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-09T00:00:00
db:	NVD	id:	CVE-2025-66605	date:	2026-02-09T04:15:49.807