CVE-2025-66597
Published: 09 February 2026
Summary
CVE-2025-66597 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Yokogawa Fast\/Tools. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Network Sniffing (T1040); ranked at the 6.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 CM-6 (Configuration Settings) and SC-13 (Cryptographic Protection).
Deeper analysis
CVE-2025-66597 affects FAST/TOOLS software provided by Yokogawa Electric Corporation, specifically the packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB in versions R9.01 to R10.04. The vulnerability involves the use of weak cryptographic algorithms (CWE-327), which could allow an attacker to decrypt communications with the web server. It carries a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high confidentiality impact with no integrity or availability effects.
An unauthenticated attacker with network access to the affected system can exploit this vulnerability with low attack complexity and without requiring user interaction. Exploitation enables the attacker to decrypt sensitive communications exchanged with the web server, potentially exposing confidential data.
Yokogawa Electric Corporation has published security advisory YSAR-26-0001-E at https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf, which provides further details on the vulnerability. Security practitioners should consult this advisory for recommended mitigations or patches.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207176
Vulnerability details
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports weak cryptographic algorithms, potentially allowing an attacker to decrypt communications with the web server. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN,…
more
UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Weak crypto (CWE-327) directly enables effective network sniffing to obtain plaintext from web server traffic.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires implementation of appropriate cryptographic mechanisms to protect confidentiality of transmitted information, directly mitigating the use of weak cryptographic algorithms in FAST/TOOLS web server communications.
Mandates protection of transmission confidentiality using secure mechanisms, preventing attackers from decrypting sensitive web server communications vulnerable to weak algorithms.
Enforces secure configuration settings to disable weak cryptographic algorithms and ciphers in the affected FAST/TOOLS packages, comprehensively addressing the vulnerability through proper system configuration.