What is the CVSS score of CVE-2025-66606?

CVE-2025-66606 has a CVSS 3.1 base score of 9.6 (Critical). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H. EPSS exploitation probability: 0.0%.

Which versions of FAST are affected by CVE-2025-66606?

A critical vulnerability (CVE-2025-66606) in Yokogawa FAST/TOOLS allows attackers to exploit improper URL encoding, potentially enabling unauthorized access, data theft, or system compromise.

How to fix or mitigate CVE-2025-66606?

Within 24 hours: Identify all systems running FAST/TOOLS and isolate them from untrusted networks; notify Yokogawa for patch availability and timeline. Within 7 days: Implement network segmentation to restrict access to FAST/TOOLS; deploy WAF rules to filter malicious URL-encoded payloads; enable enhanced logging and monitoring. Within 30 days: Evaluate alternative control systems; establish vendor communication cadence for patch release; conduct penetration testing once mitigations are in place.

FAST CVE-2025-66606

CRITICAL

Improper Neutralization of Invalid Characters in Identifiers in Web Pages (CWE-86)

2026-02-09 7168b535-132a-4efe-a076-338f829b2eb9

Information Disclosure

9.6

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

High

Integrity

High

Availability

High

Lifecycle Timeline

Analysis Generated

Mar 12, 2026 - 21:54 vuln.today

CVE Published

Feb 09, 2026 - 04:15 nvd

CRITICAL 9.6

DescriptionNVD

A vulnerability has been found in FAST/TOOLS provided by Yokogawa Electric Corporation.

This product does not properly encode URLs. An attacker could tamper with web pages or execute malicious scripts.

The affected products and versions are as follows: FAST/TOOLS (Packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB) R9.01 to R10.04

AnalysisAI

Yokogawa FAST/TOOLS has a third vulnerability involving improper encoding of output that could enable injection attacks against the SCADA web interface.

Technical ContextAI

CWE-86 improper neutralization of invalid characters in identifiers in Yokogawa FAST/TOOLS, the third vulnerability in the advisory.

RemediationAI

Apply all Yokogawa FAST/TOOLS patches.

CVE-2025-66606 vulnerability details – vuln.today

Back

FAST CVE-2025-66606

CVSS VectorNVD

Lifecycle Timeline

DescriptionNVD

AnalysisAI

Technical ContextAI

RemediationAI

Share

External POC / Exploit Code