Multiple DoS/RCE Vulnerabilities in Yokogawa CENTUM VP R6, R7

Overview

CISA has issued an advisory regarding multiple vulnerabilities identified in Yokogawa CENTUM VP R6 and R7, specifically impacting the Vnet/IP Interface Package. These vulnerabilities, if successfully exploited, could lead to denial-of-service (DoS) conditions or the execution of arbitrary code within critical industrial control system (ICS) environments. Affected sectors include Critical Manufacturing, Energy, and Food and Agriculture, all of which rely on such systems for operational continuity and safety. The vulnerabilities apply to Vnet/IP Interface Packages for CENTUM VP R6 (VP6C3300) and R7 (VP7C3300) <=R1.07.00, according to CISA.

Technical Details and Analysis

The advisory details six distinct vulnerabilities, ranging in CVSS v3.1 base score from 5.3 (Medium) to 6.9 (Medium). A common theme across these vulnerabilities is the requirement for maliciously crafted packets to trigger the adverse effects. While the CVSS scores indicate a medium severity, CISA explicitly notes that these vulnerabilities are not exploitable remotely and possess a high attack complexity.

Core Vulnerabilities

• CVE-2025-1924 (CVSS 6.9, Medium): This is the most severe of the disclosed vulnerabilities. It involves an Out-of-bounds Write (CWE-787) that, when triggered by maliciously crafted packets, can cause Vnet/IP communication functions to cease operation, effectively leading to a DoS, or, in more critical scenarios, allow for arbitrary code execution. The ability to execute arbitrary code within an ICS environment is a significant concern, as it could enable an attacker to manipulate processes, exfiltrate sensitive data, or establish persistence.

• CVE-2025-48019, CVE-2025-48020, CVE-2025-48023 (CVSS 5.3, Medium): These three vulnerabilities are categorized as Reachable Assertion (CWE-617) flaws. An attacker leveraging maliciously crafted packets can cause the Vnet/IP software stack process to terminate, resulting in a DoS condition. While not leading to arbitrary code execution, the interruption of critical processes in an industrial setting can have severe operational and safety implications.

• CVE-2025-48021 (CVSS 5.3, Medium): This vulnerability is an Integer Underflow (Wrap or Wraparound) (CWE-191). Like the other medium-severity findings, it allows for the termination of the Vnet/IP software stack process when specially crafted packets are received, leading to a DoS.

• CVE-2025-48022 (CVSS 5.3, Medium): This vulnerability stems from Improper Handling of Length Parameter Inconsistency (CWE-130). Similar to the other issues, it can be exploited by crafted packets to terminate the Vnet/IP software stack process, inducing a DoS.

Contextualizing the Threat

Despite the ‘Medium’ severity rating and the ‘high attack complexity,’ the potential impact on critical infrastructure assets cannot be overstated. Operational technology (OT) environments, where Yokogawa CENTUM VP systems are deployed globally, prioritize availability and integrity above all. A DoS event, even if requiring prior network access and specific conditions to execute, can disrupt production, compromise safety systems, and result in significant financial losses. Arbitrary code execution (CVE-2025-1924) represents a direct path to full system compromise if an attacker can overcome the high attack complexity and gain requisite network proximity.

Actionable Recommendations and Mitigations

Organizations utilizing Yokogawa CENTUM VP R6 and R7 are urged to apply immediate mitigations to reduce exposure to these vulnerabilities. Proactive defense strategies are essential for protecting industrial control systems.

Vendor-Specific Mitigations

• Apply Patch Software: Yokogawa recommends applying patch software R1.08.00. Users should consult the official Yokogawa advisory YSAR-26-0002 for detailed instructions and support. Organizations should contact their local Yokogawa support office for assistance.

General ICS Cybersecurity Best Practices

In addition to vendor-supplied patches, CISA recommends implementing the following defensive measures to minimize the risk of exploitation:

• Network Segmentation: Minimize network exposure for all control system devices and systems. Ensure they are not directly accessible from the internet. Isolate control system networks and remote devices behind firewalls and segment them from business networks. This limits an attacker’s lateral movement even if initial access is gained.
• Secure Remote Access: When remote access is required for control systems, use secure methods such as Virtual Private Networks (VPNs). It is crucial to ensure that VPNs are updated to the most current version available and are securely configured, recognizing that VPNs themselves can have vulnerabilities if not properly managed.
• Impact Analysis and Risk Assessment: Before deploying any defensive measures or system changes, perform a thorough impact analysis and risk assessment. This ensures that mitigations do not inadvertently disrupt critical operations.
• Defense-in-Depth Strategies: Implement a layered cybersecurity approach for ICS assets, encompassing physical, network, system, and application security controls.
• Awareness and Training: Educate personnel on recognizing and avoiding social engineering and phishing attacks, as these often serve as initial vectors for attackers to gain internal network access. Do not click web links or open attachments in unsolicited email messages.
• Reporting Suspected Activity: Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.