CVE-2025-1924 Overview
CVE-2025-1924 affects the Vnet/IP Interface Package from Yokogawa Electric Corporation, a component used in CENTUM VP distributed control system (DCS) deployments. Maliciously crafted packets sent to the affected product can stop Vnet/IP communication functions or trigger execution of arbitrary programs. The flaw is tracked as an integer underflow weakness [CWE-191] and is exploitable from an adjacent network position without authentication or user interaction. Industrial operators relying on CENTUM VP R6 and R7 installations are exposed when running vulnerable package versions.
Critical Impact
A specially crafted packet can halt Vnet/IP communications between CENTUM VP nodes or execute arbitrary code on the affected interface, potentially disrupting industrial process control.
Affected Products
- Yokogawa Vnet/IP Interface Package for CENTUM VP R6 (VP6C3300) version R1.07.00 and earlier
- Yokogawa Vnet/IP Interface Package for CENTUM VP R7 (VP7C3300) version R1.07.00 and earlier
- Yokogawa CENTUM VP (including R7.01.10) deployments using the affected interface package
Discovery Timeline
- 2026-02-13 - CVE-2025-1924 published to NVD
- 2026-03-02 - Last updated in NVD database
Technical Details for CVE-2025-1924
Vulnerability Analysis
The Vnet/IP Interface Package implements the Vnet/IP real-time industrial control protocol used between CENTUM VP controllers, operator stations, and engineering workstations. The vulnerability resides in the packet handling logic of this interface. When a malformed packet is processed, an integer underflow condition occurs in length or offset calculations, leading to either a communication stack crash or memory corruption suitable for arbitrary program execution.
Because Vnet/IP traffic is foundational to CENTUM VP operations, loss of communication can cascade into loss of monitoring and control across process units. Code execution on the interface component could allow an attacker to manipulate process data or pivot deeper into the control network.
Root Cause
The root cause is an integer underflow [CWE-191] in the Vnet/IP packet parser. A crafted packet causes an arithmetic operation to wrap below zero, producing an unexpectedly large value used in subsequent buffer or loop operations. This invalidates internal bounds assumptions and produces either denial-of-service conditions or memory corruption.
Attack Vector
The attack vector is the adjacent network (AV:A). The attacker must have access to the Vnet/IP network segment where CENTUM VP nodes communicate. From that position, the attacker sends a specially crafted Vnet/IP packet to a node running the vulnerable interface package. No authentication or user interaction is required. The attack complexity is high, reflecting the timing or structural requirements of the malicious packet.
No verified public proof-of-concept code is available. Refer to the Yokogawa Security Advisory YSAR-26-0002 for vendor technical details.
Detection Methods for CVE-2025-1924
Indicators of Compromise
- Unexpected loss of Vnet/IP communication between CENTUM VP controllers, HIS operator stations, or engineering workstations
- Repeated restarts or watchdog events on nodes running the VP6C3300 or VP7C3300 interface package
- Malformed or oversized Vnet/IP frames captured on the control network segment originating from non-CENTUM endpoints
Detection Strategies
- Deploy passive network monitoring on Vnet/IP segments to flag protocol anomalies, malformed headers, and length-field inconsistencies
- Baseline normal Vnet/IP talker/listener pairs and alert on new or unauthorized source addresses transmitting on the control VLAN
- Correlate CENTUM VP system event logs reporting communication interruptions with concurrent network anomaly alerts
Monitoring Recommendations
- Forward CENTUM VP system logs and network IDS alerts to a centralized analytics platform for cross-correlation
- Monitor for unauthorized host connections to the Vnet/IP control segment via switch port security and ARP inventory checks
- Track patch status and version metadata of the Vnet/IP Interface Package across all CENTUM VP nodes
How to Mitigate CVE-2025-1924
Immediate Actions Required
- Inventory all CENTUM VP R6 and R7 nodes and identify systems running Vnet/IP Interface Package R1.07.00 or earlier
- Restrict physical and logical access to the Vnet/IP control network segment to authorized engineering personnel only
- Apply the vendor-supplied update referenced in the Yokogawa advisory as soon as operational change windows permit
Patch Information
Yokogawa has published security advisory YSAR-26-0002 describing the vulnerability and remediation guidance. Operators should consult the Yokogawa Security Advisory YSAR-26-0002 for the fixed version of the Vnet/IP Interface Package and upgrade instructions specific to CENTUM VP R6 (VP6C3300) and R7 (VP7C3300) environments.
Workarounds
- Segment the Vnet/IP network from corporate IT and other OT networks using firewalls or unidirectional gateways
- Disable or block any unused ports on control network switches and enforce MAC address filtering on Vnet/IP segments
- Implement strict access control for engineering workstations and temporary maintenance laptops connected to the control network
- Monitor Vnet/IP traffic with industrial protocol-aware intrusion detection to flag malformed packets
# Example: restrict Vnet/IP segment access using interface ACL on a control-network switch
# (Adjust to vendor syntax; illustrative only)
ip access-list extended VNETIP-CONTROL
permit ip 10.10.20.0 0.0.0.255 10.10.20.0 0.0.0.255
deny ip any 10.10.20.0 0.0.0.255 log
interface Vlan20
ip access-group VNETIP-CONTROL in
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

