Details of VAR-202602-0263

ID

VAR-202602-0263

CVE

CVE-2025-66594

TITLE

Yokogawa Electric FAST/TOOLS Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

DESCRIPTION

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. Detailed messages are displayed on the error page. This information could be exploited by an attacker for other attacks. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04. The expected impact varies depending on the vulnerability, but could include the following: CVE-2025-66594 The information in the message displayed on the error page could be used for other attacks. CVE-2025-66595 If a user accessed a specially crafted link sent by an attacker, their account could be spoofed. CVE-2025-66596 If an attacker inserts an invalid host header, they may be redirected to a malicious host. CVE-2025-66597 Weak cryptographic algorithms are available, allowing attackers to Web Communications with the server may be decrypted. CVE-2025-66598 old SSL/TLS version available, allowing attackers to Web Communications with the server may be decrypted. CVE-2025-66600 Attackers can perform man-in-the-middle attacks ( Man-in-the-Middle Attack ) is performed, Web There is a risk that communications with the server may be intercepted. CVE-2025-66601 by the attacker Content Sniffing If an attack is successful, malicious scripts may be executed. CVE-2025-66602Web The server IP To accept access by address, random IP By address Web Malware looking for servers can be introduced into your network. CVE-2025-66603Web The server accepted OPTIONS The information in the method sage can be used in other attacks. CVE-2025-66605Web On the page Autocomplete There are input fields that have the attribute enabled, which may cause the input to be saved in the browser. CVE-2025-66606URL Due to poor encoding process, Web Pages may be defaced or malicious scripts may be executed. CVE-2025-66607 Insecure response headers may allow attackers to redirect you to malicious sites. CVE-2025-66608URL Due to insufficient validation, if a crafted request is received by an attacker, Web There is a possibility that files stored on the server may be stolen. For more information, please refer to the information provided by the developer

Trust: 1.62

sources: NVD: CVE-2025-66594 // JVNDB: JVNDB-2026-002779

AFFECTED PRODUCTS

vendor:	yokogawa	model:	fast\/tools	scope:	lte	version:	r10.04	Trust: 1.0
vendor:	yokogawa	model:	fast\/tools	scope:	gte	version:	r9.01	Trust: 1.0
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	package: rvsvrn , unsvrn , hmiweb , ftees , hmimob version: r9.01 to r10.04 to	Trust: 0.8
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66594

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-66594
value:	MEDIUM
Trust: 1.0
7168b535-132a-4efe-a076-338f829b2eb9:	CVE-2025-66594
value:	MEDIUM
Trust: 1.0
OTHER:	JVNDB-2026-002779
value:	MEDIUM
Trust: 0.8

nvd@nist.gov:	CVE-2025-66594
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	1.4
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-002779
baseSeverity:	MEDIUM
baseScore:	5.3
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	LOW
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66594 // NVD: CVE-2025-66594

PROBLEMTYPE DATA

problemtype:	CWE-209	Trust: 1.0
problemtype:	Information leakage due to error message (CWE-209) [ others ]	Trust: 0.8
problemtype:	path traversal (/../filename)(CWE-29) [ others ]	Trust: 0.8
problemtype:	During authentication IP Address Dependency (CWE-291) [ others ]	Trust: 0.8
problemtype:	Sending important information in clear text (CWE-319) [ others ]	Trust: 0.8
problemtype:	Use of incomplete or dangerous cryptographic algorithms (CWE-327) [ others ]	Trust: 0.8
problemtype:	Cross-site request forgery (CWE-352) [ others ]	Trust: 0.8
problemtype:	Improperly implemented security checks (CWE-358) [ others ]	Trust: 0.8
problemtype:	Disclosure of Personal Information to Unauthorized Actors (CWE-359) [ others ]	Trust: 0.8
problemtype:	Leakage of important information to unauthorized control areas (CWE-497) [ others ]	Trust: 0.8
problemtype:	Open redirect (CWE-601) [ others ]	Trust: 0.8
problemtype:	Web Improper sanitization of invalid characters in in-page identifiers (CWE-86) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66594

PATCH

title:

YSAR-26-0001

url:

https://www.yokogawa.co.jp/library/resources/white-papers/yokogawa-security-advisory-report-list/

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

EXTERNAL IDS

db:	NVD	id:	CVE-2025-66594	Trust: 1.8
db:	ICS CERT	id:	ICSA-26-041-01	Trust: 0.8
db:	JVN	id:	JVNVU97860540	Trust: 0.8
db:	JVNDB	id:	JVNDB-2026-002779	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66594

REFERENCES

url:	https://web-material3.yokogawa.com/1/39206/files/ysar-26-0001-e.pdf	Trust: 1.0
url:	https://jvn.jp/vu/jvnvu97860540/index.html	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-01	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66594

SOURCES

db:	JVNDB	id:	JVNDB-2026-002779
db:	NVD	id:	CVE-2025-66594

LAST UPDATE DATE

2026-03-07T19:45:30.298000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-17T02:14:00
db:	NVD	id:	CVE-2025-66594	date:	2026-03-06T20:27:20.503

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-09T00:00:00
db:	NVD	id:	CVE-2025-66594	date:	2026-02-09T05:16:21.840