Yokogawa CENTUM VP Flaw Exposes Industrial Systems to Unauthorized Access

---
title: "Yokogawa CENTUM VP Flaw Exposes Industrial Systems to Unauthorized Access"
short_title: "Hard-coded password flaw in Yokogawa CENTUM VP"
description: "CVE-2025-7741 in Yokogawa CENTUM VP allows attackers to log in as PROG user and modify permissions. Learn mitigation steps now."
author: "Vitus"
date: 2024-10-02
categories: [Cybersecurity, Vulnerabilities]
tags: [yokogawa, centum-vp, cve-2025-7741, hard-coded-password, ics-security]
score: 0.75
cve_ids: [CVE-2025-7741]
---

TL;DR

A hard-coded password vulnerability (CVE-2025-7741) in Yokogawa CENTUM VP could allow attackers to log in as the PROG user and modify system permissions. While the default permissions limit critical changes, improper configurations may escalate risks. Affected organizations are urged to apply vendor-recommended mitigations immediately.

---

Main Content

Critical Vulnerability in Yokogawa CENTUM VP Threatens Industrial Control Systems

Industrial control systems (ICS) are the backbone of critical infrastructure, and vulnerabilities in these systems can have far-reaching consequences. Yokogawa, a global leader in industrial automation, has disclosed a hard-coded password flaw in its CENTUM VP software, tracked as CVE-2025-7741. This vulnerability could enable attackers to gain unauthorized access and modify permissions, posing significant risks to sectors like energy, manufacturing, and food production.

---

Key Points

- Vulnerability: Hard-coded password in Yokogawa CENTUM VP (CVE-2025-7741) allows unauthorized login as the PROG user.
- Affected Versions: CENTUM VP R5.01.00 and later, R6.01.00 and later, and vR7.01.00.
- Impact: Attackers with access to the HIS screen controls could exploit this flaw to modify permissions, though default settings limit critical operations.
- Mitigation: Yokogawa recommends switching to Windows Authentication Mode or applying the R7.01.10 patch for vR7.01.00.
- Severity: Medium (CVSS 4.0) due to high attack complexity and local access requirements.

---

Technical Details

#### Vulnerability Overview
CVE-2025-7741 stems from a hard-coded password for the PROG user account, which is used for CENTUM Authentication Mode. Under specific conditions, an attacker with access to the HIS screen controls could log in as the PROG user. While the default permissions for the PROG user are restricted to S1 (equivalent to OFFUSER), improperly configured systems may allow unauthorized operations or configuration changes.

#### Attack Vector
- Access Requirement: Exploitation requires local access to the HIS screen controls, reducing the risk of remote attacks.
- Attack Complexity: High, as attackers must navigate specific system conditions to exploit the flaw.
- Impact: Limited to permission modifications unless the PROG user’s permissions have been altered.

---

Impact Assessment

#### Sectors at Risk
The vulnerability affects critical infrastructure sectors, including:
- Critical Manufacturing
- Energy
- Food and Agriculture

Yokogawa CENTUM VP is deployed worldwide, amplifying the potential impact of this flaw.

#### Risk Evaluation
- Default Configuration: The risk of critical operations being performed is low due to restricted default permissions.
- Modified Permissions: If the PROG user’s permissions have been altered, the risk of unauthorized operations or configuration changes increases significantly.
- Exploitation Likelihood: While no public exploitation has been reported, the vulnerability’s high attack complexity and local access requirement mitigate widespread threats.

---

Mitigation Steps

Yokogawa has provided the following remediation and mitigation strategies for affected versions:

#### Vendor Fixes
- CENTUM VP R5.01.00 to R5.04.20: Switch to Windows Authentication Mode.
- CENTUM VP R6.01.00 to R6.12.00: Switch to Windows Authentication Mode.
- CENTUM VP vR7.01.00: Apply the R7.01.10 patch.

#### Additional Recommendations
- Engineering Work: Changing to Windows Authentication Mode requires engineering work. Contact Yokogawa for assistance via [their support portal](https://contact.yokogawa.com/cs/gw?c-id=000498).
- Further Guidance: Refer to Yokogawa’s advisory YSAR-26-0003 for detailed instructions: [YSAR-26-0003-E.pdf](https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf).

#### CISA-Recommended Best Practices
The Cybersecurity and Infrastructure Security Agency (CISA) advises organizations to:
1. Minimize Network Exposure: Ensure control system devices are not accessible from the internet.
2. Isolate Networks: Locate control system networks behind firewalls and separate them from business networks.
3. Secure Remote Access: Use Virtual Private Networks (VPNs) for remote access, ensuring they are updated to the latest version.
4. Perform Risk Assessments: Conduct impact analysis and risk assessments before deploying defensive measures.
5. Monitor for Malicious Activity: Follow established procedures to report suspicious activity to CISA.

For more details, visit CISA’s [ICS webpage](https://www.cisa.gov/ics) and review their recommended practices for control systems security.

---

Conclusion

The discovery of CVE-2025-7741 in Yokogawa CENTUM VP highlights the ongoing risks posed by hard-coded credentials in industrial control systems. While the vulnerability’s high attack complexity and local access requirement reduce its immediate threat, organizations must act swiftly to apply mitigations and prevent potential exploitation.

Affected users should:
- Switch to Windows Authentication Mode or apply the R7.01.10 patch for vR7.01.00.
- Monitor system permissions to ensure the PROG user’s access remains restricted.
- Follow CISA’s guidelines to enhance the security of their ICS environments.

Proactive measures are essential to safeguarding critical infrastructure from evolving cyber threats.

---

References

[^1]: Yokogawa. ["YSAR-26-0003: CENTUM VP Hard-coded Password Vulnerability"](https://web-material3.yokogawa.com/1/39281/files/YSAR-26-0003-E.pdf). Retrieved 2024-10-02.
[^2]: CISA. ["ICS Advisory (ICSA-26-092-02): Yokogawa CENTUM VP Vulnerability"](https://www.cisa.gov/news-events/ics-advisories/icsa-26-092-02). Retrieved 2024-10-02.
[^3]: MITRE. ["CWE-259: Use of Hard-coded Password"](https://cwe.mitre.org/data/definitions/259.html). Retrieved 2024-10-02.