Yokogawa CENTUM VP CVE-2025-7741 Hardcoded Password Patch Guidance

Vulnerability Overview

Yokogawa Electric Corporation has disclosed a security flaw in its CENTUM VP distributed control system (DCS), which is widely utilized across critical infrastructure sectors such as energy, food and agriculture, and critical manufacturing. According to CISA Advisory ICSA-26-092-02, the vulnerability involves the use of a hardcoded password within the system’s internal authentication mechanism.

This flaw, tracked as CVE-2025-7741, resides in the CENTUM Authentication Mode. If exploited, an attacker could gain unauthorized access to the system by logging in as the ‘PROG’ user. While the default permissions for this account are typically limited, the presence of a static credential creates a significant risk of Privilege Escalation if the account’s permissions were previously modified for maintenance or engineering purposes. The CVSS base score is currently rated at 4.0 (Medium), reflecting the high attack complexity and the requirement for local access to the Human Interface Station (HIS) screen controls.

Technical Analysis of CVE-2025-7741

The root cause of this CVE is categorized as CWE-259: Use of Hard-coded Password. In many Industrial Control System (ICS) environments, hardcoded credentials are a legacy of design choices intended to ensure system availability and ease of recovery. However, in modern threat landscapes, these static secrets are easily discovered by adversaries conducting Lateral Movement within an operational technology (OT) network.

To successfully leverage this vulnerability, an attacker must already have attained physical or logical access to the HIS environment. Once access to the screen controls is established, the attacker can use the ‘PROG’ account credentials to bypass standard authentication barriers. Although the default S1 permission (OFFUSER) restricts the account from performing critical operations, any administrative drift that elevated this account’s rights would allow for unauthorized configuration changes. Security teams should prioritize determining how to detect CVE-2025-7741 exploit attempts by auditing login events specifically for the PROG user on HIS workstations and correlating those logs within a SIEM or SOC platform.

Impact on Critical Infrastructure

The deployment of Yokogawa CENTUM VP is global, making this vulnerability a concern for international infrastructure stability. While the attack complexity is rated as high, the predictability of hardcoded credentials provides a reliable vector for MITRE ATT&CK techniques such as T1078 (Valid Accounts). Organizations failing to address this could face disruptions in manufacturing or energy production if an internal threat or a previously compromised system is used as a staging point for an attack.

ICS Security Best Practices for Hardcoded Passwords

Defenders should not rely solely on the limited permissions of the PROG account. As part of a Zero Trust architecture, hardcoded credentials should be treated as high-risk assets. Effective ICS security best practices for hardcoded passwords include isolating control networks behind firewalls and ensuring that HIS workstations are not exposed to the public internet or general business networks.

Remediation and Mitigation Steps

Yokogawa has provided specific remediation paths based on the version of the software in use. The primary recommendation for older deployments is to transition away from CENTUM Authentication Mode entirely.

• CENTUM VP R5.01.00 to R5.04.20: Administrators must change the user authentication mode to Windows Authentication Mode. This requires engineering work and coordination with Yokogawa support.
• CENTUM VP R6.01.00 to R6.12.00: Similar to R5, users should migrate to Windows Authentication Mode to eliminate reliance on the hardcoded credential.
• CENTUM VP R7.01.00: Organizations should prioritize the installation of the Yokogawa CENTUM VP R7.01.00 patch software (specifically patch R7.01.10) to address the vulnerability.

In addition to these fixes, CISA recommends that all ICS operators minimize network exposure for all control system devices and utilize secure remote access methods, such as Virtual Private Networks (VPNs), when direct connectivity is required.