CVE-2025-66598
Published: 09 February 2026
Summary
CVE-2025-66598 is a high-severity Use of a Broken or Risky Cryptographic Algorithm (CWE-327) vulnerability in Yokogawa Fast\/Tools. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Adversary-in-the-Middle (T1557); ranked at the 7.4th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SC-13 (Cryptographic Protection) and SC-8 (Transmission Confidentiality and Integrity).
Deeper analysis
CVE-2025-66598 is a vulnerability in Yokogawa Electric Corporation's FAST/TOOLS software that supports outdated SSL/TLS versions, potentially enabling attackers to decrypt communications with the web server. The issue, classified under CWE-327 (Broken or Risky Cryptographic Algorithm), affects FAST/TOOLS packages including RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB in versions R9.01 through R10.04. It has a CVSS v3.1 base score of 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N), indicating high severity due to significant confidentiality impact.
The vulnerability can be exploited remotely over the network by unauthenticated attackers with low complexity and no user interaction required. Successful exploitation allows attackers to decrypt sensitive communications between clients and the FAST/TOOLS web server, potentially exposing confidential data transmitted over these connections.
Mitigation details are provided in the vendor advisory YSAR-26-0001-E, available at https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf. Security practitioners should consult this document for patching instructions and recommended workarounds.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2025-207175
Vulnerability details
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product supports old SSL/TLS versions, potentially allowing an attacker to decrypt communications with the web server. The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN,…
more
UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Outdated/weak TLS directly enables passive or active decryption of web traffic, facilitating Adversary-in-the-Middle attacks.
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Requires cryptographic protection for the confidentiality and integrity of transmitted information, directly mitigating decryption risks from outdated SSL/TLS versions in FAST/TOOLS web server communications.
Implements cryptographic mechanisms to prevent unauthorized disclosure during transmission, addressing the core cryptographic weakness (CWE-327) enabling attackers to decrypt sensitive data.
Mandates timely flaw remediation, including patching FAST/TOOLS versions R9.01 to R10.04 as advised in YSAR-26-0001-E to eliminate support for vulnerable SSL/TLS protocols.