Cyber Resilience

CVE-2025-66597

High

Published: 09 February 2026

Published
09 February 2026
Modified
06 March 2026
KEV Added
Patch
CVSS Score v4 8.8 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:L/VA:N/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0017 6.1th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2025-66597 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Yokogawa Fast\/Tools. Its CVSS base score is 8.8 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-13 (Cryptographic Protection).

Deeper analysis

CVE-2025-66597 affects FAST/TOOLS software provided by Yokogawa Electric Corporation, specifically the packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB in versions R9.01 to R10.04. The vulnerability involves the use of weak cryptographic algorithms (CWE-327), which could allow an attacker to decrypt communications with the web server. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects.

An unauthenticated attacker with network access to the affected system can exploit this vulnerability with low attack complexity and without requiring user interaction. Exploitation enables the attacker to decrypt sensitive communications exchanged with the web server, potentially exposing confidential data.

Yokogawa Electric Corporation has published security advisory YSAR-26-0001-E at https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf, which provides further details on the vulnerability. Security practitioners should consult this advisory for recommended mitigations or patches.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports weak cryptographic algorithms, potentially allowing an attacker to decrypt communications with the web server. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN,…

more

UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1040 Network Sniffing Credential Access
Adversaries may passively sniff network traffic to capture information about an environment, including authentication material passed over the network.
Why these techniques?

Weak crypto (CWE-327) directly enables effective network sniffing to obtain plaintext from web server traffic.

Confidence: MEDIUM · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2025-66598Same product: Yokogawa Fast\/Tools
CVE-2025-66603Same product: Yokogawa Fast\/Tools
CVE-2025-66608Same product: Yokogawa Fast\/Tools
CVE-2025-66606Same product: Yokogawa Fast\/Tools
CVE-2025-66602Same product: Yokogawa Fast\/Tools
CVE-2025-13476Shared CWE-327
CVE-2019-25651Shared CWE-327
CVE-2024-31896Shared CWE-327
CVE-2025-1924Same vendor: Yokogawa
CVE-2025-63912Shared CWE-327

Affected Assets

yokogawa
fast\/tools
r9.01 — r10.04

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Requires implementation of appropriate cryptographic mechanisms to protect confidentiality of transmitted information, directly mitigating the use of weak cryptographic algorithms in FAST/TOOLS web server communications.

prevent

Mandates protection of transmission confidentiality using secure mechanisms, preventing attackers from decrypting sensitive web server communications vulnerable to weak algorithms.

prevent

Enforces secure configuration settings to disable weak cryptographic algorithms and ciphers in the affected FAST/TOOLS packages, comprehensively addressing the vulnerability through proper system configuration.

References