Hardcoded Password in Yokogawa CENTUM VP (CVE‑2025‑7741) Enables Privilege Escalation in Critical OT Systems
What It Is – A hard‑coded password for the built‑in PROG account in Yokogawa CENTUM VP allows an attacker who already has access to the Human‑Machine Interface (HIS) screen to log in as PROG and, if the account’s permissions have been altered, modify system configurations.
Exploitability – No public exploit code is known, but the vulnerability is trivial to abuse once an insider or compromised network foothold exists. CVSS v3.1 base score 4.0 (Low).
Affected Products – Yokogawa CENTUM VP versions ≥ R5.01.00, ≥ R6.01.00 and vR7.01.00 (the version referenced by CVE‑2025‑7741).
TPRM Impact – Organizations that rely on Yokogawa CENTUM VP for process control (energy, manufacturing, food & agriculture) face a supply‑chain risk: a breach in a partner’s OT environment could cascade to downstream customers, potentially leading to unauthorized process changes or data leakage.
Recommended Actions –
- Apply Yokogawa’s latest security patch that removes the hard‑coded credential.
- Immediately change the PROG password and enforce a strong, unique secret.
- Review and, if necessary, revert any elevated permissions granted to the PROG account.
- Restrict HIS screen access to authenticated, network‑segmented users only.
- Deploy continuous monitoring for anomalous PROG logins and privilege‑escalation attempts.
Source: CISA Advisory – ICSA‑26‑092‑02