CVE-2025-66606
Published: 09 February 2026
Summary
CVE-2025-66606 is a critical-severity Improper Neutralization of Invalid Characters in Identifiers in Web Pages (CWE-86) vulnerability in Yokogawa Fast\/Tools. Its CVSS base score is 9.6 (Critical).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 18.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-15 (Information Output Filtering).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
SI-15 mandates filtering and encoding of information outputs, directly addressing the improper URL encoding that allows attackers to inject malicious scripts or tamper with web pages.
SI-10 enforces validation of all inputs including URLs, preventing acceptance of malformed or malicious payloads that exploit the encoding flaw.
SI-2 requires timely identification, reporting, and correction of software flaws like this improper URL encoding vulnerability through patching.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Improper URL encoding (CWE-86) in public-facing web app enables remote script injection/tampering via crafted URLs (T1190); directly facilitates malicious JavaScript execution in browser context (T1059.007).
NVD Description
A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation. This product does not properly encode URLs. An attacker could tamper with web pages or execute malicious scripts. The affected products and versions are as follows: FAST/TOOLS (Packages:…
more
RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04
Deeper analysisAI
CVE-2025-66606 affects FAST/TOOLS software provided by Yokogawa Electric Corporation, specifically the packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB in versions R9.01 to R10.04. The vulnerability arises from improper URL encoding, classified under CWE-86, enabling attackers to tamper with web pages or execute malicious scripts. Published on 2026-02-09, it carries a CVSS v3.1 base score of 9.6 (AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H), indicating critical severity due to its network accessibility, low complexity, and high impacts across confidentiality, integrity, and availability.
An unauthenticated attacker can exploit this vulnerability remotely over the network with low attack complexity, though it requires user interaction, such as a victim clicking a malicious link or visiting a crafted URL. Exploitation changes the security scope, allowing the attacker to achieve high-level compromise, including execution of arbitrary scripts, web page manipulation, and potential full control over the affected FAST/TOOLS instance.
Yokogawa's security advisory YSAR-26-0001-E, accessible at https://web-material3.yokogawa.com/1/39206/files/YSAR-26-0001-E.pdf, provides details on the vulnerability. Security practitioners should consult this reference for recommended mitigations, patches, or workarounds specific to the affected versions.
Details
- CWE(s)