Listen to this Post
CVE-2025-66596 is a medium-severity vulnerability discovered in Yokogawa’s FAST/TOOLS industrial automation software. The flaw resides in how the application handles HTTP request headers. Specifically, the software fails to properly validate the “Host” header received in incoming requests. The Host header is typically used to determine which virtual host or website the client is trying to reach. By manipulating this header and inserting an invalid or malicious value, an attacker can exploit this improper validation to perform an open redirect. When a user attempts to access the legitimate FAST/TOOLS web interface (specifically packages like HMIWEB or HMIMOB), the server may redirect the user’s browser to an arbitrary, attacker-controlled site instead of the intended resource. This is classified as CWE-601: URL Redirection to Untrusted Site (‘Open Redirect’). The attack can be executed remotely over the network without any authentication or user interaction beyond the initial request. While the confidentiality and availability of the system are not directly impacted, the integrity of the user’s session can be compromised as they are led to a malicious site, making this a powerful tool for phishing campaigns and malware distribution against users within an industrial control network .
dailycve form:
Platform: Yokogawa FAST/TOOLS
Version: R9.01-R10.04
Vulnerability : Open Redirect
Severity: Medium (CVSS:6.9)
date: 09 Feb 2026
Prediction: 16 Mar 2026
What Undercode Say:
Analytics:
The vulnerability affects the core web server components of the FAST/TOOLS suite, specifically targeting packages designed for human-machine interface (HMI) and mobile access (HMIWEB, HMIMOB). The attack vector is network-based with low complexity, requiring no special privileges. Given that the product is used in critical infrastructure sectors like energy , the risk of targeted phishing campaigns is elevated. The exploitation maturity is currently undefined, but the simplicity of Host header injection attacks suggests that proof-of-concept code could emerge quickly.
Exploit:
A basic exploit can be simulated using `curl` to inject a malicious Host header. This command tricks the vulnerable FAST/TOOLS server into redirecting the user to evil.com.
Simulate a request with a malicious Host header curl -H "Host: evil.com" http://<victim-fast-tools-server>/<any-endpoint> -v
A more advanced script can be used to test if the server is vulnerable by checking the `Location` header in the response.
!/bin/bash Simple vulnerability scanner for CVE-2025-66596 TARGET="http://<victim-ip>" MALICIOUS_HOST="attacker.com" Send request with modified host header RESPONSE_HEADERS=$(curl -s -i -H "Host: $MALICIOUS_HOST" $TARGET) Check for open redirect pattern if echo "$RESPONSE_HEADERS" | grep -qi "Location:.$MALICIOUS_HOST"; then echo "[bash] Target redirects to attacker-controlled host." else echo "[bash] Target does not redirect or validates headers." fi
Protection from this CVE:
- Apply Vendor Patch: The primary mitigation is to apply the security update provided by Yokogawa in advisory YSAR-26-0001 .
- Input Validation: Implement strict validation of the Host header on the server side, ensuring it matches a whitelist of approved domain names.
- Web Application Firewall (WAF): Deploy rules to inspect and block requests containing suspicious or unexpected Host headers.
- User Awareness: Train users in industrial environments not to trust redirects and to verify the legitimacy of URLs before entering credentials.
Impact:
Successful exploitation allows attackers to redirect authenticated users and engineers to phishing sites that mimic the FAST/TOOLS login page. This can lead to the theft of credentials, which could then be used to gain unauthorized access to industrial control systems, potentially leading to disruption of operations or unsafe conditions in critical infrastructure environments .
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: nvd.nist.gov
Extra Source Hub:
Undercode

