CVE-2025-66601 Overview
CVE-2025-66601 affects FAST/TOOLS, a SCADA software suite provided by Yokogawa Electric Corporation. The product fails to specify MIME types in HTTP responses, allowing browsers to perform content sniffing. An attacker who can influence served content may trick the browser into interpreting data as executable script, leading to script execution in the user's session. The flaw is categorized under CWE-358: Improperly Implemented Security Check for Standard. Affected packages include RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB across versions R9.01 through R10.04.
Critical Impact
Content sniffing attacks against FAST/TOOLS web interfaces can result in execution of attacker-controlled scripts in operator browsers, potentially exposing industrial control system credentials and session data.
Affected Products
- Yokogawa FAST/TOOLS R9.01 through R10.04
- Affected packages: RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB
- Deployments using the FAST/TOOLS web HMI components
Discovery Timeline
- 2026-02-09 - CVE-2025-66601 published to NVD
- 2026-03-05 - Last updated in NVD database
Technical Details for CVE-2025-66601
Vulnerability Analysis
The vulnerability stems from FAST/TOOLS web components serving HTTP responses without explicit Content-Type headers or X-Content-Type-Options: nosniff directives. When MIME types are absent, browsers fall back to content sniffing heuristics that inspect response bodies to guess the type. An attacker can craft input that gets stored or reflected by the application and structure it so the browser identifies it as HTML or JavaScript. The browser then renders the content as script, executing in the security context of the FAST/TOOLS web interface. This is a classic MIME confusion issue affecting industrial HMI software where operators interact with the system through privileged browser sessions.
Root Cause
The FAST/TOOLS web packages (HMIWEB, HMIMOB, and supporting server components) do not enforce strict MIME type declarations on served content. Missing Content-Type headers combined with absent anti-sniffing directives leave content interpretation to the browser. This violates the standard security expectation documented in [CWE-358].
Attack Vector
An attacker delivers crafted content through a network-accessible FAST/TOOLS endpoint that an operator's browser later retrieves. Because the response lacks a definitive MIME type, the browser performs sniffing and treats the payload as executable script. Exploitation requires no authentication but depends on attacker placement of content reachable by the target browser. The vulnerability mechanism is described in the Yokogawa Security Advisory YSAR-26-0001.
Detection Methods for CVE-2025-66601
Indicators of Compromise
- HTTP responses from FAST/TOOLS servers lacking Content-Type or X-Content-Type-Options headers
- Unexpected script execution within FAST/TOOLS HMI browser sessions
- Operator workstation processes spawned from browser contexts hosting FAST/TOOLS pages
- Anomalous outbound network connections from HMI workstations to untrusted hosts
Detection Strategies
- Inspect HTTP traffic to FAST/TOOLS servers for responses missing MIME type declarations
- Monitor browser-based HMI workstations for unexpected child processes or script-driven activity
- Audit application logs for uploads or stored content that may serve as a sniffing payload
Monitoring Recommendations
- Capture and analyze HTTP response headers between operator workstations and FAST/TOOLS packages
- Alert on deviations from baseline browser process behavior on engineering and operator stations
- Track authentication anomalies on FAST/TOOLS accounts that may indicate session theft following script execution
How to Mitigate CVE-2025-66601
Immediate Actions Required
- Apply the vendor update referenced in Yokogawa Security Advisory YSAR-26-0001
- Restrict network access to FAST/TOOLS web interfaces to authorized operator subnets only
- Review and remove unnecessary user-supplied content stored within FAST/TOOLS packages
Patch Information
Yokogawa published advisory YSAR-26-0001 describing the issue and remediation guidance for FAST/TOOLS versions R9.01 through R10.04. Operators should consult the advisory PDF for fixed versions and any required configuration changes for the RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB packages.
Workarounds
- Configure reverse proxies or web application gateways to inject X-Content-Type-Options: nosniff on responses from FAST/TOOLS endpoints
- Enforce strict Content-Type headers at the network boundary for all FAST/TOOLS HTTP traffic
- Isolate HMI workstations on dedicated VLANs with egress filtering to limit attacker-reachable surfaces
- Disable or restrict any FAST/TOOLS features that accept user-uploaded content where feasible
# Example reverse proxy hardening (nginx) for FAST/TOOLS endpoints
add_header X-Content-Type-Options "nosniff" always;
add_header Content-Security-Policy "default-src 'self'" always;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

