CVE-2025-66600
Missing HSTS in Yokogawa FAST/TOOLS Enables MITM Attacks
Publication date: 2026-02-09
Last updated on: 2026-02-09
Assigner: YokogawaGroup
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yokogawa | electric_corporation | From R9.01 (inc) to R10.04 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-358 | The product does not implement or incorrectly implements one or more security-relevant checks as specified by the design of a standardized algorithm, protocol, or technique. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability affects the FAST/TOOLS product by Yokogawa Electric Corporation, specifically versions R9.01 to R10.04. The issue is the lack of HTTP Strict Transport Security (HSTS) configuration in the product.
Without HSTS, when an attacker performs a Man-in-the-Middle (MITM) attack, they can intercept and sniff communications between the client and the web server, potentially capturing sensitive data.
How can this vulnerability impact me? :
The lack of HSTS configuration allows attackers to perform Man-in-the-Middle (MITM) attacks, which can lead to interception and eavesdropping on communications with the web server.
This means sensitive information transmitted over the network could be exposed to unauthorized parties, increasing the risk of data theft or manipulation.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
[{'type': 'paragraph', 'content': 'This vulnerability is due to the lack of HTTP Strict Transport Security (HSTS) configuration in the FAST/TOOLS web server, which allows Man-in-the-Middle (MITM) attacks to sniff communications.'}, {'type': 'paragraph', 'content': "To detect this vulnerability on your system, you can check the HTTP response headers from the FAST/TOOLS web server to see if the 'Strict-Transport-Security' header is missing."}, {'type': 'paragraph', 'content': 'Suggested commands to detect the absence of HSTS header include using curl or similar tools:'}, {'type': 'list_item', 'content': 'curl -I https://[target-server] | grep -i Strict-Transport-Security'}, {'type': 'list_item', 'content': 'If the command returns no output, it indicates that HSTS is not configured, confirming the vulnerability.'}] [1]
What immediate steps should I take to mitigate this vulnerability?
Yokogawa recommends upgrading affected FAST/TOOLS versions to R10.04 and applying patch CS_e12787 after installing R10.04 SP3 to mitigate this and other vulnerabilities.
Additionally, enabling HTTP Strict Transport Security (HSTS) on the web server configuration will help prevent Man-in-the-Middle attacks by enforcing secure HTTPS connections.
Customers should assess their system environments and apply the provided patches accordingly. Yokogawa offers support for applying these countermeasures and other cybersecurity measures.