CVE-2025-66594 is a vulnerability classified under CWE-209, which pertains to the generation of error messages containing sensitive information. This issue affects Yokogawa Electric Corporation's FAST/TOOLS software, specifically versions from R9.01 through R10.04, including packages RVSVRN, UNSVRN, HMIWEB, FTEES, and HMIMOB. The vulnerability arises because the software displays detailed error messages that reveal sensitive internal information on error pages. Such information disclosure can provide attackers with insights into system configurations, software versions, or other data that can be leveraged to mount more sophisticated attacks, such as targeted exploitation or privilege escalation. The CVSS 4.0 base score is 6.9, indicating a medium severity level. The vector indicates the vulnerability is remotely exploitable over the network (AV:N), requires no privileges (PR:N), no user interaction (UI:N), and does not affect confidentiality, integrity, or availability directly (VC:L, VI:N, VA:N). The vulnerability does not require authentication and can be exploited without user interaction, increasing its risk profile. No patches are currently linked, and no known exploits are reported in the wild, but the exposure of sensitive information in error messages is a recognized security risk, especially in industrial control systems where FAST/TOOLS is used for monitoring and control. The vulnerability was reserved in December 2025 and published in February 2026.

For European organizations, especially those operating critical infrastructure and industrial control systems, this vulnerability poses a risk of information leakage that could facilitate further attacks. FAST/TOOLS is widely used in process automation and control environments, including energy, manufacturing, and utilities sectors. Disclosure of sensitive error information can aid attackers in mapping system architecture, identifying software versions, or discovering configuration details, which can be used to craft targeted exploits or conduct reconnaissance for more damaging attacks. Although the vulnerability does not directly compromise confidentiality, integrity, or availability, the indirect impact through enabling subsequent attacks could be significant. European countries with large industrial bases and advanced manufacturing sectors—such as Germany, France, Italy, and the UK—are particularly at risk. The vulnerability could also affect organizations involved in energy production and distribution, where Yokogawa products are often deployed. The lack of known exploits reduces immediate risk but does not eliminate the potential for future exploitation.

1. Limit the detail of error messages exposed to end users by configuring FAST/TOOLS to display generic error responses instead of detailed diagnostic information. 2. Monitor network traffic and logs for unusual access patterns or repeated error page requests that could indicate reconnaissance attempts. 3. Implement strict network segmentation to isolate FAST/TOOLS systems from general enterprise networks and restrict access to authorized personnel only. 4. Apply vendor patches or updates as soon as they become available, and maintain close communication with Yokogawa for security advisories. 5. Conduct regular security assessments and penetration testing focused on error handling and information leakage in industrial control systems. 6. Use web application firewalls (WAFs) or intrusion detection/prevention systems (IDS/IPS) to detect and block attempts to exploit error message disclosures. 7. Train operational technology (OT) and IT staff on the risks associated with information disclosure vulnerabilities and best practices for secure error handling.