CVE-2025-66603 Overview
A vulnerability has been identified in FAST/TOOLS, an industrial automation software suite provided by Yokogawa Electric Corporation. The web server component improperly accepts the HTTP OPTIONS method, which allows remote attackers to enumerate supported HTTP methods and potentially gather reconnaissance information that could facilitate subsequent attacks against the system.
Critical Impact
The vulnerability exposes HTTP method information that attackers can leverage for reconnaissance purposes, potentially enabling further attacks against industrial control system (ICS) environments.
Affected Products
- FAST/TOOLS Package: RVSVRN (versions R9.01 to R10.04)
- FAST/TOOLS Package: UNSVRN (versions R9.01 to R10.04)
- FAST/TOOLS Package: HMIWEB (versions R9.01 to R10.04)
- FAST/TOOLS Package: FTEES (versions R9.01 to R10.04)
- FAST/TOOLS Package: HMIMOB (versions R9.01 to R10.04)
Discovery Timeline
- 2026-02-09 - CVE-2025-66603 published to NVD
- 2026-02-09 - Last updated in NVD database
Technical Details for CVE-2025-66603
Vulnerability Analysis
This vulnerability is classified under CWE-358 (Improperly Implemented Security Check for Standard). The web server embedded in Yokogawa FAST/TOOLS accepts HTTP OPTIONS requests, which is a standard HTTP method used to describe communication options for a target resource. While the OPTIONS method itself is part of the HTTP specification, exposing it in industrial control system environments can provide attackers with valuable reconnaissance data.
When the web server responds to an OPTIONS request, it typically returns an Allow header containing all supported HTTP methods (e.g., GET, POST, PUT, DELETE, HEAD, OPTIONS). This information disclosure enables attackers to understand the attack surface and identify potentially dangerous methods that may be enabled, such as PUT or DELETE, which could be leveraged in subsequent attack phases.
The network-based attack vector combined with the requirement for user interaction and high attack complexity results in a limited but notable information disclosure risk, particularly relevant in operational technology (OT) and industrial environments where FAST/TOOLS is deployed.
Root Cause
The root cause stems from improper implementation of security checks for standard HTTP methods. The web server fails to restrict or disable the HTTP OPTIONS method, which is often unnecessary for normal application functionality in ICS environments. This represents an insecure default configuration where the server exposes more functionality than required for legitimate operations.
Attack Vector
An attacker with network access to the FAST/TOOLS web server can send HTTP OPTIONS requests to enumerate supported methods. The attack requires network connectivity to the target system and does not require authentication. The disclosed information provides reconnaissance value that could inform more sophisticated attacks against the industrial control system.
The attack flow involves sending a simple HTTP OPTIONS request to the web server endpoint. The server responds with an Allow header listing all permitted HTTP methods, revealing the attack surface to potential adversaries. In ICS environments, this type of information leakage can be particularly valuable for threat actors conducting targeted attacks against critical infrastructure.
Detection Methods for CVE-2025-66603
Indicators of Compromise
- HTTP OPTIONS requests to FAST/TOOLS web server endpoints from unexpected source addresses
- Unusual volume of HTTP method enumeration activity against industrial control system web interfaces
- Network traffic patterns consistent with automated scanning or reconnaissance against the FAST/TOOLS web server
Detection Strategies
- Monitor web server access logs for HTTP OPTIONS method requests, particularly from external or untrusted network segments
- Implement network intrusion detection rules to alert on HTTP OPTIONS requests targeting ICS web interfaces
- Deploy application-layer monitoring to detect method enumeration attempts against FAST/TOOLS components
Monitoring Recommendations
- Enable detailed logging on FAST/TOOLS web server components to capture all HTTP request methods
- Establish baseline traffic patterns for normal FAST/TOOLS operations and alert on deviations
- Monitor for sequential HTTP method probing that may indicate reconnaissance activity
How to Mitigate CVE-2025-66603
Immediate Actions Required
- Review and restrict network access to FAST/TOOLS web server interfaces using firewall rules and network segmentation
- Audit current HTTP method configurations on affected FAST/TOOLS deployments
- Implement web application firewall (WAF) rules to block or restrict HTTP OPTIONS requests where not required for legitimate operations
- Consult the Yokogawa Security Advisory for vendor-specific guidance
Patch Information
Yokogawa Electric Corporation has published a security advisory (YSAR-26-0001-E) addressing this vulnerability. Organizations running affected versions of FAST/TOOLS (packages RVSVRN, UNSVRN, HMIWEB, FTEES, HMIMOB from versions R9.01 to R10.04) should consult the Yokogawa Security Advisory for specific patch availability and remediation instructions.
Workarounds
- Configure web server or reverse proxy to deny HTTP OPTIONS method requests at the network perimeter
- Implement network segmentation to restrict access to FAST/TOOLS web interfaces from untrusted networks
- Deploy application-level controls to filter and block OPTIONS method responses from reaching external networks
- Consider placing FAST/TOOLS web components behind a reverse proxy with method filtering capabilities
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
