Details of VAR-202602-0267

ID

VAR-202602-0267

CVE

CVE-2025-66597

TITLE

Yokogawa Electric FAST/TOOLS Multiple vulnerabilities in

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

DESCRIPTION

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports weak cryptographic algorithms, potentially allowing an attacker to decrypt communications with the web server. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04. The expected impact varies depending on the vulnerability, but could include the following: CVE-2025-66594 The information in the message displayed on the error page could be used for other attacks. CVE-2025-66595 If a user accessed a specially crafted link sent by an attacker, their account could be spoofed. CVE-2025-66596 If an attacker inserts an invalid host header, they may be redirected to a malicious host. CVE-2025-66599Web The physical path displayed on the page can be used for other attacks. CVE-2025-66601 by the attacker Content Sniffing If an attack is successful, malicious scripts may be executed. CVE-2025-66602Web The server IP To accept access by address, random IP By address Web Malware looking for servers can be introduced into your network. CVE-2025-66603Web The server accepted OPTIONS The information in the method sage can be used in other attacks. CVE-2025-66604Web The library version information displayed on the page can be used for other attacks. CVE-2025-66605Web On the page Autocomplete There are input fields that have the attribute enabled, which may cause the input to be saved in the browser. CVE-2025-66606URL Due to poor encoding process, Web Pages may be defaced or malicious scripts may be executed. CVE-2025-66607 Insecure response headers may allow attackers to redirect you to malicious sites. CVE-2025-66608URL Due to insufficient validation, if a crafted request is received by an attacker, Web There is a possibility that files stored on the server may be stolen. For more information, please refer to the information provided by the developer

Trust: 1.62

sources: NVD: CVE-2025-66597 // JVNDB: JVNDB-2026-002779

AFFECTED PRODUCTS

vendor:	yokogawa	model:	fast\/tools	scope:	lte	version:	r10.04	Trust: 1.0
vendor:	yokogawa	model:	fast\/tools	scope:	gte	version:	r9.01	Trust: 1.0
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	package: rvsvrn , unsvrn , hmiweb , ftees , hmimob version: r9.01 to r10.04 to	Trust: 0.8
vendor:	横河電機株式会社	model:	fast/tools	scope:	eq	version:	-	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66597

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2025-66597
value:	HIGH
Trust: 1.0
7168b535-132a-4efe-a076-338f829b2eb9:	CVE-2025-66597
value:	HIGH
Trust: 1.0
OTHER:	JVNDB-2026-002779
value:	HIGH
Trust: 0.8

nvd@nist.gov:	CVE-2025-66597
baseSeverity:	HIGH
baseScore:	7.5
vectorString:	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	3.6
version:	3.1
Trust: 1.0
OTHER:	JVNDB-2026-002779
baseSeverity:	HIGH
baseScore:	8.2
vectorString:	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
attackVector:	NETWORK
attackComplexity:	LOW
privilegesRequired:	NONE
userInteraction:	NONE
scope:	UNCHANGED
confidentialityImpact:	HIGH
integrityImpact:	LOW
availabilityImpact:	NONE
exploitabilityScore:	NONE
impactScore:	NONE
version:	3.0
Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66597 // NVD: CVE-2025-66597

PROBLEMTYPE DATA

problemtype:	CWE-327	Trust: 1.0
problemtype:	Information leakage due to error message (CWE-209) [ others ]	Trust: 0.8
problemtype:	path traversal (/../filename)(CWE-29) [ others ]	Trust: 0.8
problemtype:	During authentication IP Address Dependency (CWE-291) [ others ]	Trust: 0.8
problemtype:	Sending important information in clear text (CWE-319) [ others ]	Trust: 0.8
problemtype:	Use of incomplete or dangerous cryptographic algorithms (CWE-327) [ others ]	Trust: 0.8
problemtype:	Cross-site request forgery (CWE-352) [ others ]	Trust: 0.8
problemtype:	Improperly implemented security checks (CWE-358) [ others ]	Trust: 0.8
problemtype:	Disclosure of Personal Information to Unauthorized Actors (CWE-359) [ others ]	Trust: 0.8
problemtype:	Leakage of important information to unauthorized control areas (CWE-497) [ others ]	Trust: 0.8
problemtype:	Open redirect (CWE-601) [ others ]	Trust: 0.8
problemtype:	Web Improper sanitization of invalid characters in in-page identifiers (CWE-86) [ others ]	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66597

PATCH

title:

YSAR-26-0001

url:

https://www.yokogawa.co.jp/library/resources/white-papers/yokogawa-security-advisory-report-list/

Trust: 0.8

sources: JVNDB: JVNDB-2026-002779

EXTERNAL IDS

db:	NVD	id:	CVE-2025-66597	Trust: 1.8
db:	ICS CERT	id:	ICSA-26-041-01	Trust: 0.8
db:	JVN	id:	JVNVU97860540	Trust: 0.8
db:	JVNDB	id:	JVNDB-2026-002779	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66597

REFERENCES

url:	https://web-material3.yokogawa.com/1/39206/files/ysar-26-0001-e.pdf	Trust: 1.0
url:	https://jvn.jp/vu/jvnvu97860540/index.html	Trust: 0.8
url:	https://www.cisa.gov/news-events/ics-advisories/icsa-26-041-01	Trust: 0.8

sources: JVNDB: JVNDB-2026-002779 // NVD: CVE-2025-66597

SOURCES

db:	JVNDB	id:	JVNDB-2026-002779
db:	NVD	id:	CVE-2025-66597

LAST UPDATE DATE

2026-03-07T19:45:30.218000+00:00

SOURCES UPDATE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-17T02:14:00
db:	NVD	id:	CVE-2025-66597	date:	2026-03-06T20:29:06.233

SOURCES RELEASE DATE

db:	JVNDB	id:	JVNDB-2026-002779	date:	2026-02-09T00:00:00
db:	NVD	id:	CVE-2025-66597	date:	2026-02-09T05:16:24.070