Yokogawa CENTUM VP

# Yokogawa CENTUM VP Hardcoded Password Exposes Critical Manufacturing Systems

## The Threat

Yokogawa has disclosed a critical vulnerability in its CENTUM VP industrial control system software that could allow attackers to gain unauthorized access and modify system configurations. The flaw stems from a hardcoded password embedded in the PROG user account—a privileged system account used for authentication within CENTUM VP's proprietary authentication mode.

The vulnerability is particularly concerning because CENTUM VP is widely deployed across critical infrastructure sectors, including energy generation, chemical manufacturing, and food production facilities worldwide. The hardcoded password creates a straightforward path for attackers who have gained initial access to the Human-Machine Interface (HMI) or engineering screens to escalate their privileges and potentially manipulate industrial processes.

What makes this vulnerability especially dangerous is the nature of industrial control systems. Unlike traditional IT environments where a compromised account might expose data, a compromised ICS can lead to direct physical consequences—equipment malfunction, production disruptions, safety hazards, or environmental damage. The fact that this password has been hardcoded into the software means every instance of affected CENTUM VP installations potentially shares the same credential.

## Severity and Impact

| Field | Value |

|-------|-------|

| CVE ID | CVE-2025-7741 |

| CVSS v3.1 Score | 4.0 (MEDIUM) |

| Vector String | CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N |

| Attack Vector | Local (AV:L) |

| Attack Complexity | High (AC:H) |

| Privileges Required | None (PR:N) |

| User Interaction | None (UI:N) |

| Scope | Unchanged (S:U) |

| Confidentiality Impact | Low (C:L) |

| Integrity Impact | Low (I:L) |

| Availability Impact | None (A:N) |

| CWE | CWE-259: Use of Hard-coded Password |

The MEDIUM severity rating reflects the attack's local nature—an attacker must already have access to the HIS (Human-Machine Interface) screen controls to exploit the vulnerability. However, in many industrial facilities, the HIS is accessible from engineering workstations, maintenance terminals, and sometimes via remote access during troubleshooting sessions, potentially expanding the attack surface.

Yokogawa assigns a low-risk rating for properly configured systems because the default PROG user permissions are set to S1 (equivalent to OFFUSER)—a limited permission level. However, this assessment assumes permissions have not been modified. Many organizations customize user permissions for operational efficiency, meaning the actual risk in real-world deployments could be significantly higher.

## Affected Products

The following versions of Yokogawa CENTUM VP contain the vulnerability:

Organizations running any of these versions should immediately assess their deployment and determine whether the PROG user's permissions have been modified from the default configuration.

## Mitigations

Yokogawa has provided version-specific remediation guidance, though some options require significant operational changes:

For CENTUM VP R5.01.00 through R5.04.19:

Apply patch software or switch to Windows Authentication Mode. Migrating to Windows Authentication Mode requires engineering work and should be coordinated with Yokogawa support.

For CENTUM VP R6.01.00 through R6.11.99:

Apply available patches or migrate to Windows Authentication Mode (requires engineering support and planned downtime).

For CENTUM VP R7.01.00:

Apply patch software version R7.01.10 immediately. This is the preferred short-term fix and avoids the operational complexity of authentication mode migration.

Immediate Actions (All Versions):

1. Audit PROG User Permissions: Review your PROG user account configuration. If permissions exceed the default S1 level, escalate this to critical priority.

2. Restrict HIS Access: Implement network-level controls to limit access to the CENTUM VP HIS screens. Restrict engineering workstations to specific authorized staff and network segments.

3. Implement Network Segmentation: Isolate CENTUM VP systems from corporate networks and the internet. Deploy them behind firewalls with strict ingress/egress rules. Never expose HIS interfaces to untrusted networks.

4. Monitor for Unauthorized Access: Enable logging on CENTUM VP systems and establish alerts for PROG user authentication attempts. Monitor for unusual activity during off-hours.

5. Virtual Private Networks: If remote engineering access is required, enforce VPN connections with multi-factor authentication and restrict to specific authorized personnel.

6. Contact Yokogawa Support: Reach out to Yokogawa for guidance on your specific deployment. They can provide detailed patch information, authentication mode migration guidance, and implementation schedules tailored to your infrastructure.

## References

---

Bottom Line: This vulnerability represents a tangible risk to industrial operations worldwide. While the default permission structure limits immediate impact, the wide deployment of CENTUM VP and the ease of exploitation (if HIS access is available) make this a priority remediation issue. Organizations should prioritize patch application for R7.01.00 systems and begin assessment and planning for R5 and R6 migrations within the next 30 days. For critical infrastructure operators, Yokogawa support should be engaged immediately to coordinate remediation with operational schedules.